January 06, 2015 IT SECURITY

What Does The Crystal Ball Reveal, You Ask?

Well, I’m sorry but as always, I don’t have a crystal ball so, please, don’t use anything I say against me?

In the last 3 years, we _all_ have failed our predictions.  The year 2013 started with major DDoS attacks; something no one saw that coming although we knew hackers had been building up to that in the years before. This year, we set a new record for number of breaches and number of user identities compromised.  By now, we can safely surmise that hackers know everyone’s name, email, address, phone number, and for most of us, also the SSN.  And, if they go to our ill-configured Facebook pages, they’ll learn our entire life history.  We have no secrets for them; and that’s where the problem lies.

So what will transpire in 2015?

Let me attempt one prediction.  The adoption of open source and Linux based systems seems to have reached a point of no return.   Apparently, at least 50% of the internet uses Linux. When the BASH vulnerability (Shellshock) was announced in August, it was clear this was a big issue simply because of the number of systems that use Linux, especially to run web servers.

But this wasn’t the only one; we had some major issues before. We’ve discovered that the SSL protocol, which we used for so many years, is flawed.   All these issues clearly show something new looming at the horizon. As we adopt different technologies and veer away from Microsoft, at least for certain aspects of IT, we find that other systems are flawed as well, and we run into an entirely new issue – who’s maintaining those systems?

I’m not a fan of MS by any means; but there’s indeeda difference here – when MS recognizes a vulnerability, they patch it before they announce it.

In the open source world, there’s no one responsible for such a process. Therefore, the vulnerability is announced before you even have a chance to figure out how to protect yourself.  This creates a nice advantage for hackers (as if they needed another one) – vulnerable, unpatched systems, just ripe and ready to be compromised.

So where’s the prediction, you ask?

Simple – the more we use Linux and open source, the more vulnerabilities we will unearth, and the more issues that will arise.  In 2015, it’s likely we’ll see more such vulnerabilities and be scrambling to fix them.

Similarly, the announcement that SSL is inherently flawed isn’t to be underestimated.   SSL is THE protocol of choice for encryption in a very large part of the internet.  TLS is getting traction, but SSL is still predominantly used.  In many cases, moving away from SSL means updating systems that cannot easily be updated.  So I don’t foresee SSL disappearing magically. On the contrary, I think many people will continue using it, most of them even unaware of the issues, and many of these systems will fall prey to hackers.  For them to do what?  Launch DDoS attacks, distribute malware, barrage you with spam.  That part isn’t going away anytime soon.  Spam is only becoming more and more sophisticated, and with the introduction of thousands of new high level domains, watch for that to be even more of a problem than it already is.


Adding on, the new high level domains aren’t being handled in the same very strict and formal way the original root domains have been handled thus far (.com, .org, edu, .gov, .mil and so forth).  Each day, new high level domains are being announced; the registrars handling them aren’t forthcoming about the “whois”, so antispam for emails from these domains can be a problem.   And with the diffusion of more spam, more malware will come as well.

In a completely separate matter, it’d be nice if we could, once and for all, understand the schizophrenic relationship we have with China.

On the one hand, our President flies there to sign a treaty to reduce CO2 emissions; on the other, the same administration tells us that Chinese entities likely backed by the government are carrying on cyber attacks against our national interests.  So, are we in a sort of cyberwar with China that is undeclared and, for the most part, ignored?

Oh for some developments in this area so _we_, the people, can understand what’s really going on here, and why we keep such close ties with someone who has allegedly declared a cyberwar against us.


The fact that it’s “cyber” and that no one has (yet) died as a result thereof doesn’t make it any less dangerous.  This isn’t a prediction though, but a hope. That things can become at least a little clearer, because I think I can speak for many of us when I say, “I am quite confused as to what’s going on here”.