2014 is nearly upon us. Here are some comments from Tripwire, the Security experts, about what they expect the new year will bring.
Craig Young, security researcher:
I suspect that in 2014 we will see mobile malware reach new levels of sophistication as BYOD becomes more prevalent in the workplace. Mobile devices may be targeted not only for the data they store but also for the systems and services they can access. To combat this threat, end users need to become more vigilant about the applications they install and the networks they connect to with their smartphone or tablet.
In recent years, consumer routers have become considerably more powerful and therefore more attractive to attackers. These devices are plagued with security flaws which are commonly ignored by vendors and even more commonly ignored by consumers. If it hasn’t already happened, 2014 could be the year of the conficker sized botnet of consumer routers.
Tyler Reguly, technical manager of security research and development:
1) More people will realize that CVSSv2 is a flawed scoring mechanism and CVSSv3 will fail to deliver any meaningful improvements.
2) With improved bug bounty programs and reward systems, we’ll finally see a major leap forward in web browser protection. However, AV companies will continue to use the same techniques discussed in the late 1980s.
3) Hope: Java will finally be deemed unsafe by enterprises and slowly start to disappear. Prediction: Java will remain popular in enterprise environments because ease of use / deployment continues to trump security.
4) Attackers will begin to target the makers of popular cell phone apps, silently embedding malicious software in the source code for these apps. Ultimately this will lead to a winner in the cell phone war, determined not by features but by who provides the best protection for their users.
Ken Westin, security researcher:
The 130 million encrypted passwords that were part of the Adobe compromise will be decrypted within the next few months, providing malicious hackers with a large database of passwords to utilize in brute force tools as well as additional compromises simply because people use the same passwords on multiple accounts.
In general we will continue to see large scale compromises of user data including user name and passwords which will increase demand for two-factor authentication and a boom in biometric technology startups as people and businesses struggle with how to keep accounts and data secure.
Windows XP will be end of life in April which will be a boom for malicious hackers who will have an arsenal of saved unreleased vulnerabilities at their disposal. With every Patch Tuesday hackers will be reverse engineering patches to see if the vulnerabilities for Vista through Windows 8 also affect XP.
We will continue to see additional documents released by Snowden that will unveil further cyber surveillance both domestic and foreign. Evidence that the U.S. is not the only country involved in these types of surveillance activities will also become widely available. These allegations will hurt U.S. businesses as international organizations seek more secure services free from snooping governments.
Journalists are deploying SecureDrop en mass, from Forbes, New Yorker, Wired with additional publications to follow. Within the next year every major publication will have a method to receive whistleblower and insider documents that protect whistleblowers’ identity, reducing the risk for future Snowdens and Mannings. As a result we will begin to see more and broader leaks worldwide. Journalism will in turn become a more dangerous job and will require reporters working with sensitive data to be up to speed on security and privacy best practices.”
Tim Erlin, director of IT risk and security strategy:
With the proliferation of the ‘measured self’ movement, including more and more personal data collection, there’s no doubt that at least one of these treasure troves of personal data will be breached in the coming year. That breach may come in the form of a direct data theft, or more likely in the form of a meta-data privacy compromise where some enterprising individual figures out a way to combine public or semi-public data with disturbing results.
Edward Snowden may be the individual to thank for the growth in non-use cloud providers. The information about how the NSA has been collecting data, whether entirely accurate or not, will drive adoption of providers outside the United States. In fact, this has already started with Swisscom:
What do you get when you combine a large collection of personally identifiable information and a brand new, government implemented platform for managing it? A big target, that’s what. While we debate whether the ACA has created a health care revolution, there’s little doubt it’s created a shiny new target for hackers and accidental leaks. It’s likely that 2014 will see a significant breach of privacy or theft of data from state health care exchanges.
Embedded devices are everywhere, and we instinctively believe that because they’re contained inside a tidy little box, they’re more secure. The fact is, they aren’t, and researchers have been spending the latter half of 2013 demonstrating that fact. These devices won’t be updated quickly, and consumers will lag behind in applying those updates, creating a growing target surface for compromise in 2014.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.