Following on from our overall look at the common predictions sent to me for 2015 and a lively webcast on the subject from this week, I have decided that the second prediction trend I will look at more thoroughly is a continuing major topic from 2014.
Could anyone have predicted the impact that the likes of Heartbleed, Shellshock and Poodle would have upon security? With national global news coverage and enough scare stories to shock even the calmest IT administrator into action, they made for plenty of column inches and late nights.
As a result, it is not a surprise that it features heavily as a predicted trend for 2014. In fact, many established security firms and researchers predicted that things will get worse before there is any potential of things getting better.
For example, Kaspersky predicted that there will be more “internet-bleeding stories” of dangerous vulnerabilities appearing in old code which exposes the internet infrastructure to menacing attacks, while Sophos predicted that there will be “more major flaws in widely-used software that had escaped notice by the security industry over the past 15 years”.
Jesse Rothstein, CEO of ExtraHop, said that Heartbleed and Shellshock are just the beginning, as their scope and scale, as well as their proximity to each other, were a wake-up call for many IT organisations. “In my nearly 20 years of experience working in enterprise software and network engineering, these are two of the most serious threats I’ve seen. I’d go so far as to say that they are among the top five most significant zero-day events of all time,” he said.
So is the problem entirely in old code? Both Blue Coat Systems and McAfee predicted that there will be further exploitation of vulnerabilities, with the former predicting that a single defect will cause failures to ripple through a system. “Vulnerability seekers have had their first taste of this, and there’s no going back now,” Blue Coat said.
McAfee Labs predicted that exploitation techniques such as stack pivoting, return and jump-oriented programming and a deeper understanding of 64-bit software will continue to drive the growth in the number of newly discovered vulnerabilities, as will the volume of malware that exploits those newly discovered vulnerabilities.
So it is not just in the legacy code, or the new technology as it is built with old code bases. Candid Wüeest, threat researcher at Symantec Security Response, believed that 2015 will bring new vulnerabilities discovered in open-source databases and web-service platforms, and with that we’ll see hackers exploit these vulnerabilities with impunity.
He said: “As with Heartbleed and Shellshock, these vulnerabilities represent a potentially a rich, new area for attackers, the greatest risk continues to come from vulnerabilities that are known, but organisations and consumers alike don’t apply the corrective patches.”
I am sure that flaws will continue to be reported and disclosed, much like they were this week with Moonpig. However as we found out this morning, we will be hearing a lot less from Microsoft with regard to its advance notification system being suspended for the commoners.
HD Moore, chief research officer at Rapid7, predicted that we w
ill see tons of client-side issues within Microsoft though, even though the “big bugs” of 2014 were not in Microsoft products for once.
“The issues that keep ‘breaking the internet’ are endemic flaws in open source software that really should be better by now,” he said. “Plan for another year in which vulnerabilities in open source libraries and system components result in major disruption and possible data loss.”
Of course we will see more bugs, as Veracode’s Chris Eng told me last year: “most software is not written entirely from scratch; only ten per cent of code is, and 90 per cent comes from other libraries and products”. In other words, recycled code with duplicated flaws. Maybe a solution is better code analysis, or for the code writers to start from scratch.