Top Ten Threats for 2007 - As Reported by Richard Stiennon
If you don’t remember who Richard Stiennon is, think back to a few years ago and see if you can remember the words, “IDSs are dead”. Ring a bell? He is an analyst at Gartner focusing on security. I met him several years ago, although I’m sure he would have no idea who I am now, even though I accurately predicted the rise of the event correlation (SIM) services. Well, I found his blog almost by accident today and his most recent post actually turned out to be fairly interesting. He wrote about the top 10 threats for 2007. He was a little scattered in the topics he went into but most of them were pretty interesting to discuss. Here are some of my thoughts:
His second and third prediction is that DDoS in support of Phishing and fraud will become a big deal in 2007. I really don’t see this one happening. I get what he’s saying, but DDoS is noisy, and doesn’t actually aid in phishing. Plus if the bad guys have compromised servers why not use them for more phishing, which is far more lucrative than shutting down a server (except in the random cases of extortion - “pay me $10k and I’ll let your server come back up”). I just don’t believe this is happening all that often. They bad guys can make $10k per phishing incident. It’s way more scalable to stick to phishing. I only know of two cases where DDoS extortion has happened, and both of them were online casinos.
He suggests in his fourth bullet that DNS will be a huge target over the coming year. Maybe. It’s hard to say, especially since it’s far easier to let it work for you in the case of XSS malware. I’m not sure I agree with this since there are easier ways to attack a target. But you never know. I also thought pharming would never be a big deal when everyone was hyping that one up and… er… no wait, it never was. 
His seventh bullet talks about MySpace having to grow up and become more secure like the rest of their competitors. I don’t know that I agree that this is the 7th largest threat in 2007 (shutting down one community site) but I think the ramifications of why this is happening is easily within the top 10. He’s got a good point here. I think something that we have not spent enough time thinking about is the downstream impact of these types of issues to large businesses. Could a few XSS holes literally shut down a billion dollar company? That’s a big deal.
Number eight is also about XSS although Richard doesn’t mention the word. He talks about backdooring media files (pdp’s backdooring quicktime files and Mp3 files, no doubt) as well as spam advertising inside of the movie files. I would hardly call this the eight biggest threat on the Internet, because the files can be scanned for the backdoor and who cares if there is a little spam. It’s not a big threat to the Internet. So, unfortunately I think he’s way off on this one.
Number nine is about how the global network infrastructure is showing signs of strain under the new heavy weight content of the dynamic internet. I doubt this really will mean much to anyone other than more use of content delivery networks as well as additional money for the carriers who lay fiber (which was his comment).
His number ten threat is that Vista isn’t going to do anything in terms of Security. Well, that’s probably true, but that’s not a new threat, that’s just not an increase in security to match the increase in level of attacks against the new platform. But who wants to go after desktop machines when everyone is putting their information online anyway? That’s where the real money is. The only reason people go after home computers these days is to install keyloggers and turn them into spam/phishing machines. Also, the bigger issue is that everything is becoming web enabled. Alas, we’re going to see a lot more high profile information disclosures next year is my prediction. So I think he had the right idea, but he didn’t take it to the next obvious place.
I don’t mean to put Richard down here - he’s a very bright guy. Unfortunately, I think this year he spent too much time talking to a few people who didn’t have their pulse on the real issues. No doubt 2007 will be interesting though. I’m looking forward to it.
December 31st, 2006 at 8:25 pm
I gotta disagree with number seven about MySpace as well - but for a different reason. MySpace is already more secure than any other social networking site - save Facebook - and still manages to allow far more options to their users to add content than any other. Facebook i would say is more secure, but they have it easy .. there really isn’t much user content you can add to Facebook, and no HTML whatsoever.
Obviously they’ve had many holes this year and several XSS worms - but that’s mostly because of their success in my opinion. If i’m gunna write an XSS worm, it’ll definitely be for MySpace .. 100million victims is too good to pick anywhere else. I’d challenge him or anyone to find a more secure social networking site - big bonus points if that site allows HTML content. (kinda sad that its the safest and still holey, mais c’est la vie et la confiture)
January 2nd, 2007 at 3:38 pm
I like the fact that you posted your comments on someone else’s article and you have your points. Why not post your predicitions for 2007 and what *YOU* think will be the REAL issues so that others can do the same to your post. I mean it is only fair no?
MySpace would not even be on the radar if it was not home to 100+ million users, many of whom, would not know a thing or two about security. It is sad really. I do expect them to be a target for 2007 along with many other web sites. (credit card sites, banks etc.) Follow the money, follow the crowds. That is where you will find the criminals trying to pickpocket them all.
January 2nd, 2007 at 4:49 pm
I’m really not into the 2007 predictions stuff. I know a lot of people like to do that kind of thing as link bait, but I think it’s a cheap futile trick (cheap because it takes ten minutes to write while only eleven minutes of thought and futile because who does anything based on that anyway?).
You wanna know what my prediction for 2007 is? More stuff is going to get broken and more websites will get hacked. Beyond that I’d be guessing. I just don’t happen to agree with most other people’s predictions, nor do I care to put myself out on the line to be pointed at a year from now by people like myself - with that twinge of disdain over how lame it is to make predictions. I guess what I’m saying is I try to avoid being hypocritical and wrong as often as possible.
January 3rd, 2007 at 11:20 pm
point well taken, can I make one predicition? More people will pay attention to this blog in 2007.
I for one will continue my research and monitor the information you post here regarding web applications and the threats against them. Thank you.