It’s the last gasp of 2016 and those “what to expect next year” lists keep arriving, most of which go straight into the spam folder.
Still, for infosec people it’s worth thinking about what might happen, because then you won’t feel guilty about adding a few extra glugs of rum into the eggnog. Yes, 2017 will be that bad.
First, devices, devices, and even more devices. Everything’s connected now and mostly totally insecure. It’s not your users' fault (or yours for that matter), because it’s impossible to test and check every piece of hardware and software these devices run.
No, it’s the vendors that are the problem. Not only do they ship defective products, sometimes even with malware preinstalled, most do not have a continuous testing program and rely on outside researchers to find and point out the flaws in their products.
This won't change, meaning security researchers will have a busy 2017. We should, however, give a pat on the back to the companies who have bug bounties with big rewards for vulnerability finders; at least that's something.
Next up, the fallout from the giant Yahoo data breaches will be a challenge to contain in 2017.
Your users will be safe of course, because they didn’t reuse their complex Yahoo passwords elsewhere, and have 2FA and other authentication measures enabled so phishing won’t work on them.
Yeah, I’m dreaming. That’s not how users anywhere in the world operate.
Furthermore, Yahoo hashed the leaked passwords with the Message Digest 5 algorithm which first appeared in 1991, and which its developer pronounced hackable in 2012. The hack of one billion Yahoo user details happened three years ago, giving attackers ample time to run password crackers on the data.
One consolation in this mess is that the leak is so massive, the bottom's fallen out of the credentials trading market. The entire billion-user database is for sale for a paltry US$300,000 (A$414,000).
This values each user at A$0.0004 or thereabouts, meaning future hacks have to be of a similar scale to be worthwhile for the baddies.
On the denial of service front, things started look up a bit this year. Cops around the world have arrested and chastised a large number of booter and stresser kids. More importantly, police have started an education campaign to explain to the young ones that they will get into serious trouble for DDoS attacks, and it won't be much fun.
It’s too soon to rejoice though. As of writing, network operators around the world are scratching their heads over a sudden increase in Network Time Protocol (NTP) traffic.
This could be the infamous Mirai botnet again, which attacks insecure edge devices (see above) and corrals them into giant DDoS networks that churn out huge amounts of packets.
Mirai developers aren’t giving up, and are honing their malware with TOR-hidden command and control servers, so we probably haven’t seen the last of this.
Dealing with profit-driven cyber crims is bad enough, but it really doesn’t help when governments make it even harder.
These will add further confusion and uncertainty for the industry, on top of existing legislation that kicked in this year.
Next year will also see the debate around backdoors in strong encryption continue.
Governments insist on weakening encryption because of terrorism, while security professionals implore them [pdf] not to do that because it’s dangerous and stupid and won't achieve anything good.
No prizes for guessing who’ll win that debate, unfortunately.
The outlook isn't all bad next year, however: despite the vast amount of expected drama, there just aren’t enough skilled infosec people to help organisations get through everything.
That’s right. You’re in demand and hard to replace, so asking for a pay rise should make 2017 a bit less of an ordeal.
Merry Christmas, and Happy New Year.