You can call me a pundit, I guess, but I don’t like making predictions. Most industry forecasts are horribly inaccurate and miss the stuff people will care about a year later.
For me, it’s hard enough to digest what happened in the past and make sense of it, but this was a landmark year. Here are a few of the trends I saw in 2015 that I believe will change computer security as we know it, either for better or worse.
Anonymous is rarely anonymous
No, I’m not talking about the hacktivist group. I’m talking about the average person’s illusion of anonymity, which is finally being recognized as the fraud it has always been. Apparently, even the creators of bitcoin have been exposed.
No matter how many criminal kingpins are arrested, they still use Tor, supposedly the ultimate protection of anonymity. It’s obvious that governments and even university students can find you. Yes, Tor provides protection -- possibly some of the best privacy protection -- until someone really wants to find you.
This applies to the Anonymous hacker collective as well. Members of Anonymous and other supposedly anonymous groups are routinely arrested. Lizard Squad is another example of supposedly supergenius uber-hackers, skilled at hiding their identities, but they’ve been busted, too.
I personally know of another ongoing sting operation where the hackers involved think they’re using hacked servers, but those servers -- and the hacker’s encryption keys -- are completely under the control of the government. I've viewed transcripts of the incriminating conversations and transactions, and I have only one thing to say: Enjoy prison!
Privacy is bigger than ever
In the wake of all the NSA news -- not to mention the CISA bill signed by President Obama -- even the largest vendors are trying to make our data and communications more secure. You have several companies taking cases against government intrusion to the Supreme Court. Apple is encrypting all customer data by default, so even Apple can’t decode it, and many other companies are following suit. I thoroughly expect all major vendors to do this.
Many larger corporations have or are recruiting Chief Privacy Officers, and even those that aren’t show a newfound respect for customer privacy. Phone apps routinely get pulled when they’re found to be violating privacy guidelines. Even though I think most people still acquiesce to having their privacy invaded, it seems they're at least more concerned about it. The smartest companies are the ones not storing data that can be used to invade people’s privacy in the first place.
IoT is here -- maybe not for the better
Everything is getting an IP address, even toasters. As predicted, most of these devices are hideously insecure. Just as predictable are the competing sides' arguments: One side wonders how their insecure IoT device could possibly be risky, and the other side talks digital Armageddon.
The reality is that some people and things will be hurt on an ongoing basis by insecure devices with IP addresses. It’s been a part of life for a long, long time. Many years ago when I was an EMT, I found out that a power interruption had caused an erroneous lab result to be printed in a cardiac care unit, which ultimately resulted in a patient dying due to incorrect diagnosis and treatment. Misbehaving devices kill people, then and now.
As more objects get an IP address, the opportunity for problems will expand, especially when our networks are overrun by malware and malicious cyber criminals. But unintended bugs and intended deceptions (hello, Volkswagen?) will probably cause more harm than the real bad guys. I’m at least thankful that the car industry is starting to take the threat seriously, especially as the era of self-driving vehicles seems to beckon.
Containers have arrived, adding complexity
Like the proponents of virtual machines a decade ago, the champions of containers keep overstating the potential to make security easier. Ten years ago, every VM vendor touted its product’s ability to decrease security risk. I was one of the early scoffers -- I could plainly see that VMs had every risk non-VM systems had, plus host-to-guest, guest-to-host, and guest-to-guest issues. Time has proven that we aren’t less hacked because of VMs.
Containers are the same way. Supposedly, because the app and the OS can be separated from each other, security is easier to accomplish. Nothing could be further from the truth. Containers add complexity, and like VMs, they have the same issues as their noncontainer counterparts -- and more. They increase risk at the application layer. Don’t believe the hype.
Every exploit became a cartoon character
As I cynically predicted in 2014, every exploit and malware program now comes with a complete advertising campaign. They not only get their own names, but branding, including logos.
Typically, they get the scariest name possible, such as Google’s recent FireEye vulnerability -- labeled “666.” They name it after the devil, but it’s a vulnerability that will be quickly patched by the vendor and forgotten in a week.
It makes me wonder whether someone should catalog all the names and logos to avoid copyright issues. I think this is at least the fifth exploit labeled “666” since I’ve been in the business, including this one. I think malware called “Satan” or “Natas” (Satan spelled backward) is even more popular.
SSL was replaced by TLS
SSL finally died and was replaced by TLS. However, make sure your website is using the latest version of TLS -- 1.2 at this writing, although 1.3 is soon to be released. Running older versions of TLS is as bad as running the notoriously vulnerable SSL. My Christmas wish? I hope more people start saying “TLS” instead of “SSL” to mean an encrypted connection. SSL is an old, disabled, and vulnerable protocol. What people usually mean is they are getting a TLS certificate for an HTTPS website or connection. Say the right thing, people!
More hackers were busted
Every arrest of a malicious hacker warms my heart, and this year it seems like we arrested more than ever. Yes, it’s still probably 1 percent of 1 percent of 1 percent of harmful hackers, but that’s better than nothing. Even China arrested some APT attackers. That’s mind blowing!
How 2015 stacked up
The only viable assessment of the year in security boils down to a single question: Were users less vulnerable to maliciousness than in past years? This year is clearly no. No matter how our software and security tools improved, people and companies seemed as easy to exploit this year as in past years, if not more.
Some people think it can never get better. But we can make improvements, even in the macro sense. In the real world, crime and violent crime has fallen for decades (aside from a recent uptick). We can take action, often many aggregated moves, that can lead to meaningful declines. Only that hope keeps me writing about computer security. We can do better.