Threat Research

What's not going to happen in 2011: Anti-Predictions

By Guillaume Lovet | January 17, 2011

It's the beginning of 2011, which means network security vendors’ threat predictions for the year to come have mysteriously appeared in their crystal balls by now.

Making informed security predictions can be an easy or difficult task depending on the approach taken. The easy way out is to look back at the biggest trends of the last year and talk about how they will continue into the next. The idea is to keep the prediction vague and difficult to verify in case the prediction ultimately turned out to be off the mark. Writing useful and verifiable predictions, on the other hand, is considerably more difficult and risky because no one really has the power to predict the future, and the evolution of malware is partly ruled by chaos theory. Plus, who really likes to admit when they’re wrong?

This year, in addition to our own "predictions," FortiGuard Labs tried something different, albeit a little risky. In an effort to shake things up, the Lab put its collective heads together and came up with a list of five network security anti-predictions, or, more specifically, the threat trends they believe we’re NOT likely to see in the coming year.

1. No True iPhone Malware in the AppStore in 2011

Yes, we know Apple's screening of submitted apps is not infallible, and, no, it doesn't mean we won't see iPhone malware in 2011. To be clear, Apple’s App Store-installed applications run sandboxed and do not have complete, direct access to a phone’s resources, such as a W32 binary would have on a Windows system running as admin, which is usually required for genuine malware activity, such as live keylogging and injecting data in the Web browser.

In 2010, a proof-of-concept rogue iPhone app called "SpyPhone" was released into the AppStore, but it did little more than report the infected user's Safari searches, YouTube history and keyboard cache. Some apps were leveraging this for adware-ish activity, but we’d hardly qualify what we saw as Malware. While exploitation of flaws could make the sandbox porous and eventually let a rogue app seize total control of the OS, we believe cybercriminals are just not there yet. Some researchers may be, but a proof of concept (PoC) doesn't count. Regardless, to the eyes of cybercriminals, malware is better off sitting on the Web and installed via browser exploitation- or exploitation of any other third-party component - where it can be moved around and re-spawned, rather than in the App Store where it can quickly be taken down.

_Bottom line: We don't think malware will penetrate Apple’s App Store in 2011. And, even if it does, that malware will be short lived. _

2. Not Another Stuxnet in the News 2011

The mid-year news of a SCADA facility being presumably physically disabled by malware proceeds from an exceptional confluence of conditions. Specifically, there had to be someone with all the necessary assets to mount the attack, which would include inside intelligence, virus coders, SCADA specialists, zero days exploits and field agents, and there would have to be motive strong enough to actually mount the attack. At the same time, that someone had to neglect taking precautions to ensure the malware doesn’t spread outside the targeted area – otherwise no one would have probably known.

Bottom line: We don't think this particular situation will happen again anytime soon. Cyberwar acts will certainly happen, but you won't hear about it, unless you can "reposition the satellite" like Chloe in Fox network’s “24” to get the live feed going.

3. The Rogue Antivirus Gang Won't be Arrested in 2011

When running an illegal business that's worth $150 million per year, there’s a good chance that the law is going to be after you. However, if you happen to be operating in a country that:
Is not hosting victims of your illegal business, because you’ve built your malware to turn itself off when it runs into one of a fellow citizen (a common feature in Rogue AV, which used to be implemented in ZeuS as well)
Hasn't been ratified by the international Convention on Cybercrime and
Has no real incentive to cooperate with the "victims' countries," as that business somehow profits its local economy, in which part of the $150M/year ends up - minus the $$$ spent in yachts and cocktails in the Caribbean

Then things suddenly become less risky.

Bottom line: This is one anti-prediction we'd be delighted to get wrong.

4. Security in the cloud will not eclipse on-premise security devices in 2011

Some security vendors have embraced the Cloud and have already written the epitaph for security appliances. Nonetheless, in spite of the amount of attention given to cloud-based or virtual approaches to deploying security, we firmly believe the anticipated demise of the network security appliance will not happen in 2011.
Concerns remain over of performance and the ability to provide comprehensive network visibility
Customers also want to consolidate their security. Cloud-based approaches often lack the ‘single pane of glass’ management and integrated feature set that is so important to many enterprises

_Bottom line: On-premise deployments will trump the cloud in 2011. Fortinet offers solutions for both on-premise and ‘in the cloud’ security, but we think that Network security appliances will still experience strong growth. _

5. No Google Wave attacks in 2011

Last year, it was often predicted there would be attacks on (or leveraging) Google Wave. It didn't happen. For the sole purpose of pulling a tongue-in-cheek remark, we'd say we're pretty sure this won't happen in 2011 either.
Now, as for its successor, Apache Wave, who knows; but in any case, very unlikely this year.

-- With Axelle Apvrille and Patrick Bedwell

Join the Discussion