Cyber Security:Predictions galore: BL
A look at what cyberspace might hold this new year..


Through the looking glass.
Predictions dished out by astrologers and experts on January 1 each year are lapped up by consumers
whichever walk of life or profession they might be.
The cyber world is no different. I am not for a moment underplaying the importance or utility of such
predictions. What I look for is certain exactitude in warning what one should be prepared for in the New
Year. This is why I am amused when experts say that 2010 will see more intrusions in cyberspace and we
should be more vigilant.
There are, however, a few analyses that are slightly more concrete and therefore meaningful. As for
instance, when McAfee, the reputed anti-virus software vendor, projects a year that will be marked by
intensified criminal concentration on social networking sites such as Facebook and Twitter. Its 2010 Threat
Predictions report suggests that Twitter will, in particular, be the target of those who want to hide sinister
Web sites somewhere so that their detection becomes difficult. There will also be exploitation of popular
applications alongside increased sophistication of cyber criminals. McAfee also believes that HTML5 will be
popular among malware writers. More attacks on Adobe Reader and a rise in banking Trojans are distinct
possibilities.
The prognosis, especially with regard to Facebook and other such sites, seems credible because of the
avalanche of attacks on them that one saw in 2009. Readers may also recall that a number of hackers into
these sites succeeded in breaking into users' profiles and posting links to malware-affected sites.
Notwithstanding these, I do not foresee any drop in new subscribers to Facebook and Twitter, because they
are live and interesting to an average individual looking for excitement in cyberspace. They have also
acquired a certain aura, thanks to VIP users such as our own Minister in the Ministry of External Affairs,
Shashi Tharoor.
Apart from McAfee, there are several other companies offering predictions. One of them is Kaspersky Lab,
again an anti-virus software provider, which is headquartered in Moscow and has offices all over the world.
Although the company indulges in some generalisations, such as an increase in the sophistication of
attacks, it makes bold to predict that next year will witness less number of attacks using Web sites and
applications. There will also be fewer malicious applications making bogus claims of being genuine anti-virus
and security software. Kaspersky attributes this to market saturation of such products and increased
vigilance of law enforcement officials. Also interesting will be to watch how cyber criminals are going to
receive new operating systems such as Windows 7 and Snow Leopard.
Perhaps somewhat contentious is the prediction that black hat hackers will start legitimising their activities
by means of partner programmes, wherein professional criminals will be assisted through monetising spam
botnets, denial of service attacks and malware. It is not clear on what basis Kaspersky is making this
assertion. But it is undoubtedly an interesting speculation that should alert policemen patrolling cyberspace.
Equally intriguing and absorbing is Kaspersky's belief that 2012 will see more pressure on mobile phone
applications, file sharing and peer to peer networks. The Kaspersky analysis sounds erudite and cannot be
ignored. It merits careful analysis.
Another expert surmise is that there will be first time criminal attention to cloud computing services. It is just
possible that these services will be hijacked and used to control and direct attacks. (More about the security
threats to cloud computing in a subsequent column.) Also, botnets will become more sophisticated. Perhaps
the most amusing suggestion is that there will be inter-gang wars where one gang may hijack the botnets
controlled by other gangs. In sum, whatever happens in the real world could be replicated in cyberspace!
Amidst all these conjectures comes the report now of extreme ingenuity on the part of a hacker called Samy
Kamkar who, only the other day, demonstrated how we can identify a browser's geographic location by
exploiting the weaknesses in many Wi-Fi routers. Incidentally, Samy is the hacker who, in 2005, through
what is now known as Samy Worm, put MySpace out of commission by adding more than one million friends
to the author's account. Kamkar tells us of how hardware firewalls can be penetrated with the help of some
JavaScript embedded in a Web page. He is positive that by luring victims to a malicious link, the aggressor
can access any service on the victim's machine. This is a dreadful prospect. The caveat, however, is that the
visitor must have on his machine an application running, such as file transfer protocol or session initiation
protocol. For one Samy known to us, there are a thousand others with a dishonest intention. This is why we
need to do everything within our capacity to educate ourselves on the latest modes of attack and take
minimum possible precautions.
Some cheer news
Against this background of fears of perils in cyberspace, the findings of two recent studies make sense. The
first by PriceWaterCoopers (PwC) claims that there is a nearly 100 per cent improvement in the security
capabilities of the IT-BPO industry in the past few years. Also noteworthy is the shift of accent from
technology to people-related controls through increased importance to employee security awareness
programmes.
Another study, conducted by KPMG and Nasscom, is nearly equally positive. According to it, security has
now become a Board room concern and a majority of companies look upon it as a business enabler.
Information security is now part of the training imparted to newcomers, and this has brought in its own
rewards in terms of protecting corporate information. This is heartwarming if one considers the situation until
a few years ago, when IT security was a very low priority, something of a ritual rather than a protector of a
company's assets and image.
The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.