It's 2007 now, so let's take a peek at what the year ahead might hold in store for the world in terms of information security.
First on the list is the most obvious item, Windows Vista. Microsoft calls Vista its most secure OS to date. That's probably true given the insecurity of previous Windows OSs. But while Vista does seem more secure than previous versions of Windows, it hasn't yet become the primary target of the blackest of the black hats. But that's about to change.
Recently a vulnerability in Windows was discovered that affects Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The vulnerability is located in the Client-Server Runtime Subsystem (CSRSS) and lets someone elevate his or her privileges to the level of Administrator.
For the most part, the news stories and technical reports I've read present this vulnerability as a minor problem, apparently because in order to exploit it, a user must already be authenticated to the system. So the thinking is that unless someone can be tricked into running it, there isn't much risk. But that thinking is shortsighted.
What most of the news stories overlook is the fact that in the business world, a significant number of intrusions are perpetrated by people inside a company (e.g., users who can readily authenticate to a system). Seen in that light, this vulnerability--and any other vulnerability that lets someone elevate privileges--is indeed serious.
We're probably going to see more vulnerabilities of a similar caliber (or worse) affecting Vista. I think we'll see a lot of Vista vulnerabilities, with most of them discovered via exploits snagged from the wilds of the Internet--exploits either in active circulation or for sale on sites around the world. Look for this trend to naturally pick up momentum in the third and fourth quarters of the year.
Right along with Vista exploits will be increased exploitation of RSS and Atom feeds, along with exploits of multimedia content, particularly because Vista includes ample support for these technologies. Web sites will be silently cracked, their content will be replaced, and their feeds will be hijacked, and site operators won't discover the tampering until users complain or until they're publicly embarrassed by the media. Similarly, I think we'll also see a significant increase in exploits launched via popular sites such as YouTube, MySpace, and popular network-enabled games.
Another important trend will probably be a much stronger push for digital identities and various protection mechanisms against identity theft. As for the latter issue, user education will probably remain low on the list of remedies even though it's the best solution available. Watch for many more news stories about huge personal data breaches in 2007.
Identity theft, spam, and malware will of course continue to grow into bigger problems than they already are. We probably won't see any significant dents made in those problems in 2007. Vendors don't seem to be keen on rooting out problems but instead prefer to sell Band-Aids, so to speak. Here's one good example: Remember Blue Security? That tiny company came up with a fantastic mechanism (called Blue Frog) to fight spam, and it was hugely successful! Unfortunately, the company caved in to retaliation from spammers, and not one of the most powerful companies in the industry has stepped up to take up where Blue Security left off. I seriously doubt that any of them will either. There appears to be little if any desire to disassemble the engines that drive product sales. Sad, but true.
Finally, botnets will become a much bigger problem in 2007, and I suspect that the problem will eventually lead to some very serious quakes on the Internet.