Perhaps two of the biggest computing trends that have gained momentum in the past year have also opened up some of the biggest security problems that the internet has faced in its entire history. Cloud services and Mobile internet afford us maximum flexibility and ease of access to the information that we want and need on a daily basis. That ease of access and flexibility has also increased our vulnerability. In this article, we look at recent security trends and what they portend for the coming year.
Since mobile computing seems to be all abuzz, it is no wonder that hackers, crackers and hijackers are all focussing on the platforms that we are starting to use even more frequently than our home computers. This year, numerous Android vulnerabilities have been exposed and it seems that in the last few months the pace is picking up. Last month, a backdoor on many Android devices effectively took advantage of many of the default applications installed on particular phones to gain root access to the devices. Earlier this year, Google pulled 21 applications from its Android Market in a major malware scare. As a result, Google put security at the forefront of its agenda while developing Ice Cream Sandwich. Undeterred, security experts have already pointed out a number of security flaws that have been opened up as a result of many features available on the new Android platform, and some have even gone to the lengths of demonstrating them in action.
iOS has not been without its own security issues. Recently, Charlie Miller announced a major security flaw in Apple’s mobile operating system. Apple’s response was to suspend him from their developer program. Earlier this year, a critical iOS vulnerability remained unpatched for over a week.
In the coming year, I expect that platforms such as Android and iOS are likely to see a lot more in the way of malicious attack. Indeed, with many mobile phone payment systems coming into place, tablets and phones are quickly becoming equivalent to the average person’s wallet. Most of these devices are almost permanently connected to social networks like Facebook and Google+, meaning that a compromise can offer a wealth of identity information to thieves and fraudsters. Security on these devices is going to become a hot news topic throughout 2012.
Yep, this one is already getting old, but with Zuckerberg’s personal photo archive now freely available on the Internet, you have to wonder where security is headed when it comes to the world’s big social networks. Certainly, there has never been a greater store of personal identity information than in these social networking sites. So naturally these are big targets. But a more interesting trend is also emerging. Instead of using darknets and secret chat rooms, hacker groups like LulzSec and Anonymous are boldly using social networking sites to promote and coordinate their efforts. Last year, June’s Operation Anti-Security, a joint effort by LulzSec and Anonymous, was advertised on Twitter and involved cyber attacks on the FBI and affiliated agencies. Social Networking has certainly been used to wide effect to mobilize activist groups such as the Occupy movement.
These trends are powerful forces that have national and international security implications. But social networking sites also provide incredible resources to crime fighting services. Last year we saw increasing measures taken by governments around the world to gain control over these networks and to have deeper access to their content. General privacy concerns aside, this trend is likely to see an increased number of vulnerabilities appear within these networks.
Increased governmental control
That leads to my next trend which will see governments fighting it out for much greater control over user data available on the internet. Just recently, India announced that its current government was in legal talks with Facebook and Google in an effort to counter anti-corruption groups that are using social networks to spread discontent. Meanwhile, Facebook is hiring current and former Whitehouse members in an effort to gain better lobbying power in the US government. During the London Riots David Cameron, the UK Prime Minister, announced that the UK would begin exploring greater control over social media and networking sites, to the level of controlling who has access to these services.
The SOPA bill that has been hot news in the US recently, along with the Protect IP act, also indicate how government is moving to gain increased control over the Internet and global communications. The tension around this parliamentary debate is massive, and opponents are outspoken in their recognition of the act’s strong censorship-leaning nature. It prompted Eric Schmidt from Google to say “The solutions are draconian… The bill would require (Internet service providers) to remove URLs from the web, which is also known as censorship last time I checked.”
Censorship on the Internet is gaining momentum. Indeed, India’s recent appeal to Google, Facebook and Twitter are disturbing. Equally disturbing is Turkey’s recent crackdown on censoring sites that discuss evolution. In Russia, a seemingly positive attempt by the government to combat child-pornography, suggests that the government will have control over a blacklist that will prevent Russian Internet users from accessing particular websites.
One of the interesting parallels here is that control systems used to manage and monitor infrastructure within government and industrial bodies have now become a target of attack. The recent Illinois Water Attack has prompted the US Department of Homeland Security to release a warning and set of guidelines to tighten up security for SCADA systems. The fear here is that activists and hackers may start turning towards attacking government infrastructure to gain more control over key resources.
Often the motives for Internet censorship tend to fall under the guise of some positive legal force, such as the fight against child pornography or intellectual property theft, but the consequences of these acts seem to be much greater. 2012 looks like it will see the end of a truly open Internet. Expect many more darknets to emerge, and a lot more fighting back.
A last trend worth discussing is security in the cloud. We all know that sticking all of our business data out onto the Internet comes with a stack of security risks, but much of the media would have us believe that businesses are flocking to the cloud to diminish their IT costs. That’s simply not true. Silicon Republic reports that security is still the major inhibitor when it comes to putting data into the cloud. For that reason, security companies are seeing a major boom and are likely to see that continue through 2012.
Those reservations to move to cloud-based technologies extend far and wide. Just the other day, Los Angeles City Council had to scale back their agreement with Google Mail, as its security was just not sufficient to cover the requirements of a range of departments such as the LAPD. Recently, a security firm evaluated security within a cloud provider’s facility and was able to gain domain-wide administrator access within a day.
Some say that cloud technologies are just not mature enough yet. This opinion is fairly ignorant, cloud-based mail storage facilities have been in existence for half the life of the Internet. Amazon Web Services have been around for well on six years now. In general, these services have proved to be robust and security incidents are not commonplace. Other cloud services, such as online accounting facilities and virtual desktop services are less mature, but despite perceptions to the contrary, they have proved to be generally pretty secure. Nonetheless, analysts are predicting that 2012 will see a spate of attacks on these kinds of services. Of course, the same analysts are usually lining their pockets on the back of their predictions.
2012 will present new challenges as businesses struggle with their security requirements and the general trend towards outsourcing data control to third-parties based on the Internet. Tracking attacks on cloud-based services will be incredibly difficult because the term is so nebulous. Anything not stored on your own locally hosted server is effectively in the cloud.