Internet Security Systems - AlertCon(TM)

Week of (everyone else's) Security Predictions 2009 - Day 5

Posted by Gunter Ollmann on January 09, 2009 at 3:23 PM EST.

It’s finally Friday and I could hear the weekend calling even as I drove to work this morning.

Today brings us Day Five and the final installment of the “Week of (someone else’s) Security Predictions 2009”. Given the number of security predictions that have been made, I could keep on going for a month or two, but they all start getting repetitive after a little while. Who said security vendors never agree?

In yesterdays analysis (Day Four) we perused the crystal ball efforts of Websense. With their emphasis on Web content filtering, five out of their six predictions revolved around threats that can be solved (to some degree) with adequate Web filtering product deployments (coincidence?). That said, I can’t really fault their predictions, even if they were less of the crystal gazing variety and more of the conservation of energy as the ball continues its roll down the mountain.

With so many predictions available, for this final day I’ve decided to take a closer look at an organization that’s not trying to sell product off the back of their predictions. Well, technically they’re not selling product, but they do have a vested interest in the predictions they make. Welcome to the “Four Threats For '09 That You've Probably Never Heard Of (Or Thought About)” from the online IT security news magazine – Dark Reading.

Dark Reading’s Security Predictions 2009

The security predictions of Dark Reading are a little out of left-field when compared to those that I’ve covered already this week. But that was intentional - since Dark Reading wanted to discuss some of the lesser-known and more obscure threats predicted for 2009.

(1) An Internet “e-bomb”

“…with the [hacking] work being done on Cisco and routing gear in general we'll see the first wide-scale 'e-bomb' that will break peering between ISPs and make large portions of the Internet unreachable… expects botnets to become used for more lethal purposes, such as launching large-scale attacks on the Net's underlying infrastructure”

This is one of those predictions that if you say it won’t happen, someone will intentionally go out of their way just to prove you wrong. Sure we saw several notable flaws being discussed throughout 2008 concerning core Internet protocols and even some limited proof of concept advances. But, at the end of the day, I’m doubtful we’d see any widespread carnage from attackers abusing these flaws. Sure, there would be an almost limitless amount of media releases concerning public exploitation of the flaws (even more than the media hype that initially surrounded the disclosure/proof of those flaws), but their business significance is rather limited – maybe even negligible as far as 2009 is concerned.

If we look at the overriding security trend over the last 3-5 years, it’s been that big attacks are all about the money. Cybercrime is a business, and if an attack isn’t profitable or is going to adversely affect that business, then it’s not going to happen.  It’s almost getting to the point that if you were to take out a chunk of the Internet, not only would you have local law enforcement on your tail, but you’d probably have the Mafia issue a hit on you for their loss of earnings. There are a few more comments to this tune on Rafal’s blog which I also commented on.

There’s another point I’d bring up about why this isn’t really a threat in 2009. I don’t think it’s possible to do on a significant scale any more. The Internet is more that a backroom of servers – it’s a distributed system of interconnected and non-dependent networks. Case in point, late in 2008 three quarters of the core intercontinental data lines between the Middle East, South East Africa and Europe were physically broken at the same time, at to a sizable extent most of the Internet didn’t notice. Sure, there were latency issues as some traffic was rerouted through the remaining (over subscribed) connection, but local people doing online business with local operators never really noticed.

(2) Radical extremist hackers

“…predicts that 2009 will be the year that Middle Eastern cybercartels expand into online fraud. A recent wave of fatwas issued by radical Islamic religious leaders in that region authorizing these groups to use cyberattacks to defend Islam has opened the door for these groups to wage cyberattacks…”

Well, we’re only nine days in to 2009 and we’ve already seen this prediction play out as Israeli and Islamic sites get hacked and defaced on a daily basis. But then again, it’s been something that’s been going on since the first Web vulnerabilities allowed someone else to remotely deface a site with a political message.

In 2008 we started to hear about greater support for hackers launching cyber-jihads, such as the $2000 cash bounty offered to hackers by Iran and Hamas as they declared digital war on Israel. But if the truth be told, I think the absolute threat from radical extremist hackers in 2009 is pretty low – extremist hacking is quite different from all out cyber-warfare between competent and trained government funded/supported units.

I do worry about the role social networks play in this evolving threat landscape though. Given the general availability of bandwidth consumption attack tools (e.g. HTTP and SYN flooders) and how easy it is to launch a successful attack if you have access to enough hosts, I suspect that the ongoing evolution of social network sites will offer a convenient coordination point for future targeted attacks. We saw this partially as thousands of Chinese citizens tool up cyber arms to launch a coordinated attack against CNN because of their coverage of the Olympic torch relay. In the future, I think that we will see more of this kind of coordinated attack – and it may or may not be “extremist” depending upon who’s side of the fence you’re sitting.

(3) Attacks on online ad revenue

“…attackers could wreak havoc on online ads and their potential revenue by compromising the ad's source… they could compromise the systems as well”

Most of this prediction has been a threat fact throughout 2008. We saw plenty of IFRAME attacks using online advertising distribution channels for drive-by-download attacks, and I expect that trend to continue because it’s an economical delivery channel with an extremely wide pool of potential victims.

Personally, I don’t know why end users don’t just automatically block most of the advertizing content coming down to their browsers. I’ve used a mix of HOST file domain nullifications in the past (e.g. assigning local loopback to domains know to only host advertising content), and would eagerly invest in a piece of software that automatically scrubbed all those adverts before they got to my Web browser.

That said, the Dark Reading prediction revolves around attacks that would result in a net decrease in revenue for advertising dependent. I suspect that this will be true for 2009 as we will see more advances in Web filtering technologies and greater paranoia of blocking cross-domain content. Unfortunately, I don’t feel too much sorrow for this prediction.

(4) Human casualties

“…human lives could be affected by a cyberattack like that of those hospitals or attacks on national infrastructures such as utilities…”

This is a tricky prediction. On one hand I already know about some of the real human casualties that have occurred over the last decade due to worm outbreaks and wireless DoS that unfortunately propagated to networked surgical devices and shut them down at critical times. On the other hand these were extremely unfortunate events that were not instigated intentionally by a knowledgeable hacker. So, with that said, I know there is plenty of scope for human casualties if a knowledgeable hacker targets the right equipment at the right time.

But lets not get ahead of ourselves. There is plenty of scope for human casualties should someone wish to launch an attack. Just opening up the back of a local traffic lights control box and messing around with the controls (either physically, or remotely through an implanted wireless connector) would likely have serious consequences at a heavily trafficked junction. And then there all the things someone could do if they hacked in to a nuclear power plant – even if only to shut it down for a couple of hours – and the consequences to dependent hospitals, at-home care, and those traffic lights again.

So as for a prediction of 2009 – more of the same I think with regards to human casualties.


Well, that’s it! That’s the final analysis of someone else’s 2009 security predictions. I hope you’ve found the endeavor interesting and perhaps gained a little more perspective in to the threats as I see them in 2009. Am I expecting to be 100% right about these predictions and my own related sub-predictions? No. Otherwise I’ll be winning the nation lottery with the following predictions… 06, 07, 14, 19, 26, 39, …

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.