As in the real world, cyberspace has bad neighborhoods. But unlike the real world, risks in cyberspace are not easy to spot -- and the location of those digital bad neighborhoods can change all the time.
When security experts look back at 2010, they will see a major turning point in the world of cyberscares. The virtual and the real collided in new, dramatic ways during the past 12 months, and the Internet will never be the same.
Gone for good is the glamour of annoying outages caused by hackers sending e-mail attachments and launching Web page attacks. Now, computer criminals are being credited with stalling a rogue nuclear power plant program, and with bringing world diplomacy to its knees. Things are getting serious.
There's still a lot we don't know about the virus named Stuxnet. Unlike 99 percent of the viruses written before it, this malicious program was designed to leave most of the Internet untouched. In fact, it wasn't even written in a language that could infect normal Web users. Instead, it apparently was written to cripple nuclear power plants by some entity that had insider knowledge of how utilities work. Stuxnet may have found its way into an Iranian nuclear power plant and mucked up its operations, according to various reports. True or not, Stuxnet sent shudders through the computer security world, and will likely inspire copycat "targeted" attacks for years.
Meanwhile, WikiLeaks showed how technology can turn a David-vs.-Goliath match into a fairly even battle. Non-tech journalists were simply flabbergasted that a man like Julian Assange could take on the U.S. government -- or any government -- so directly, and that government had so little power to stop him. What Assange did has already had serious real-world consequences, and they are ongoing. Assange was a teenage hacker before he became a political activist, and he might be considered the first Web-age hacker to have "grown up" -- he is what a hacker who doesn't ultimately get a job in computer security can turn into. He is destined to become the hero of every teenager with a little programming skill and a cause.
Sure, there have been plenty of cyberskirmishes fought in the name of activism, and there have been Twitter and Facebook campaigns aplenty - such as the Twitter-aided Iranian "revolution" of 2009. But those did not have anywhere near the impact of Stuxnet or WikiLeaks. Indeed, 2010 will be remembered as the year things changed. And those changes headline the top 10 things Internet users need to fear most in 2011.
At the same time, a more subtle, but perhaps more immediate danger for Web consumers surrounds the explosion of off-the-PC Internet applications. The Web is on nearly half of U.S. cell phones now, but that's only the beginning. It's also on TVs, DVD players, tablets like the iPad and even kitchen appliances. What's the risk? How many consumers do you know that are ready to purchase anti-virus software for their blu-ray players? Predictions have been made for a long time about mobile Web viruses. Given the explosion of new, unprotected gadgets, 2011 appears to be their year.
On to the list. We will begin with the biggest consumer-grade threats, then work our way up to the most dramatic possibilities created by the success of Stuxnet and WikiLeaks.
I use Twitter because I have to, and I play around with Foursquare for research purposes only. I am amazed that anyone uses the location-based services provided by these companies for anything but the most limited of applications. Sure, Foursquare creates some neat possibilities for finding friends. But even the most dimwitted of stalkers can turn these tools into playgrounds. It's trivial to know where people on Foursquare live, work and play, and when they will be at each of these locations. Criminals will catch up to this during 2011 and I hope you don't end up in the headlines. Use location services with extreme care. One tip: Have a friend "stalk" you to see how easily a stranger could follow you, then adjust your usage accordingly.
Physical stalking is far from the only risk, however. Computer criminals can observe a person's traveling behavior to craft incredibly convincing phishing e-mails or other cyberattacks ("Hey, it was fun meeting you last night at Sullivan's Pub!"). Location-based service users need to add an extra helping of suspicion to their Web travels.
2. New media platforms
Consumers are welcoming browser-enabled gadgets all over their homes, and why not? It's great to stream movies to your television without having to bother with tricky laptop-to-TV connections. But beware, says security firm McAfee. Many device application creators are rushing their products to market to meet demand, taking shortcuts on critical security issues (We've heard that story before).
"These tools have historically weak coding and security practices, and will allow cybercriminals to manipulate a variety of physical devices through compromised or controlled apps," the company warns. The threats could be simple, such as fake Web pages that pop up on TVs, asking users to submit personal information. Or they could be complex, such as theft of stored passwords, or even hijacking of the machines for use in botnets. "This danger will eventually lead to data exposure and threats through new media platforms such as Google TV," McAfee warns.
3. Mobile phones
Every year since about 2004, security experts have predicted an explosion in viruses targeting cell phones. They are beginning to sound like the boy who cried wolf, but this year could be different. Until now, cell phones -- even smart phones -- have operated in very controlled environments. But the proliferation of the open-application environment of Android, and the "jailbreaking" of iPhones, has created a much more hacker-friendly world for cell phones. As the prevalence of these gadgets reach critical mass, hackers will be drawn to them like gnats to a porch light.
4. Mobile gadgets
In a related category, the explosion of mobile gadgets this year will create both a new playground for bad guys, and a new incentive to target operating systems that also control smart phones. Analysts predict some 50 million tablets of all flavors will be sold in 2011. Most will use Apple's operating system, but perhaps 10 million to 20 million will be variations on that theme, running Google's Android. The market for tablet-based antivirus software, meanwhile, is virtually non-existent.
"Those devices are in some ways more powerful than computers, yet people are treating them like mobile phones," warned Piero DePaoli, a security researcher at Symantec Corp. "They don't do much to secure them."
The combination of tablets and smart phones will prove to be a target-rich environment for the bad guys.
5. URL shortening
When you only have 140 characters to express your thoughts and feelings, you sure don't want to get bogged down passing along a wordy link like http://redtape.msnbc.com/2010/11/sherrilynn-palladino-lives-in-a-modest-three-bedroom-home-with-an-affordable-mortgage-about-15-miles-from-the-ocean-in-grov.html
(My New Year's resolution: Shorter URLs)
The solution? URL shortening services like bit.ly. They're great. Here's a better link for my story above, by the way http://bit.ly/erORys. But they are also an incredibly easy way for hackers to send you to an unexpected Web page. After all, bit.ly, by definition, obscures the destination URL. I could have claimed that this http://bit.ly/CNbKx was the link to my story above, when in fact it's a link to my favorite hockey team's Web site. It could just as easily be a link to a malicious Web page. URL shortening services undo years of safety training online, with security experts telling consumers to make sure the link they clicked really looked like it was headed to their intended destination. McAfee says there are more than 3,000 URLs being shortened every minute online. That's a lot of hacker potential.
6. Friendly fire
By now, you probably know enough not to click on an e-mail sent to you by AnneMarie0876 promising to help you enhance your private parts. But what about an e-mail from a close friend offering you a chance at a free iPod, or a coupon for 20 percent off at your favorite department store? This year, next generation viruses like Koobface made it easy for hackers to personalize their attacks, using tools to gather information about you leading to specially crafted e-mails and other attacks. Their success will lead to widespread imitation, McAfee warns.
"Personalized attacks are about to get a whole lot more personal," the firm says.
7. The end of spam. What?
Last year saw the lowest level in spam in years. Why? Criminals go where the people are. Both are moving on to more sophisticated communications platforms like Facebook. Spam is so 2004. Facebook wall posts apparently from friends asking for money are much more 2011.
"Social media connections will eventually replace e-mail as the primary vector for distributing malicious code and links," McAfee says." The massive amount of personal information online coupled with the lack of user knowledge of how to secure this data will make it far easier for cybercriminals to engage in identity theft and user profiling."
Tweets from "friends" will lead to widespread infections. Facebook chats will trick people into giving up personal information, or clicking on malicious links. Promiscuous friending will allow bad guys to connect with all of your friends, creating an easy attack vector with a wide footprint. All of this will happen in an environment where consumers tend to trust more than traditional Web pages or e-mail -- in other words, their guard is down, and attacks will be up.
"This shift will completely alter the threat landscape in 2011," McAfee says.
8. Cloud computing
Remember Web 2.0? Me neither. It was just a marketing term that attempted to clarify what would happen if Internet applications started communicating with each other, such as Facebook and your phone's GPS service. Cloud computing is much the same thing: a marketing term that describes a world where people store data and use applications on remote computers, rather than on their own desktops or laptops. It's not new -- in fact, it's a rather 1960s concept. But technology firms would much rather rent computer space and services to users than sell them one-time products like a shrink-wrapped box of software. Think of it this way: Who would you rather be, the cell phone maker ($200 gadget sales) or the cell phone service provider ($100 monthly bills)? The TV maker ($400 gadget) or the cable company ($120 monthly bills).
All that's well and good, and the cloud will provide some neat additional features for users, such as instant backup. But as the cloud moves into mainstream usage, hackers will follow. Only the payoff for hacking cloud services will be massive, warns ISCA Labs.
"Cloud services will become prime targets for hackers wanting to gain access, not just to a specific company's data but possibly to multiple victims simultaneously," the computer security company says. "As more users move to the cloud, we believe we will see more attacks directed at cloud-based services."
The cloud will also raise fascinating and troubling legal issues for users. Say you've stored all your family photos, or all your company's data, on a cloud service. What happens if there's a billing dispute, like those that arise with cable companies and cell phone providers? And what if that cloud provider refuses to release your data until you pay that hefty early termination fee? The best defense against that: Backing up all your data on your own computers, a rather un-cloud-like activity.
Meanwhile, many in the computer security world see widespread and lasting implications for cloud computing from the WikiLeaks incident. Forget Julian Assange for a moment, if you can. When Amazon Web Services decided to dump WikiLeaks content from its cloud servers, observers were left wondering: How trustworthy is the cloud? What if a provider like Amazon decides it doesn't like my data? Conceptually, if WikiLeaks can be cut off, anyone can.
9. Hactivism outbreaks
Whatever you think of Julian Assange, from a security standpoint WikiLeaks is clearly the most successful and influential "hactivism" event ever. It will inspire others aplenty. Its success lies in part on the different nature of Assange's strategy.
Until now, virtually all hacktivist efforts landed in two camps: online graffiti, such as Web page defacement, or online protests, such as denial of service attacks. The spreading of previously non-public information, against a government's will, is a new form of attack, and one that can't be stopped by added improved packet filtering. The only way it can be stopped is by government officials taking a huge step backward and following the advice of many lawyers I know -- never type anything that you wouldn't want to see in the newspapers. Expect a lot more secure phone calls and a lot fewer "secure" e-mails between government officials. That might have a detrimental impact on important information sharing -- say, between terrorism researchers at the Department of Homeland Security and airport security officials. But WikiLeaks inevitably will lead to this kind of chilling.
One lesser-discussed aspect of the WikiLeaks release of U.S. diplomatic cables is Assange's hacker background, and the architecture of the WikiLeaks distribution system. It's built in global redundancies and clever booby traps, such as that encrypted insurance file. And it's proven the ability of one small organization to evade a powerful government's ability to shut it down. That will inspire other groups. That loose hacker organizations like Anonymous responded to the incident by brazenly attacking major firms like Visa and MasterCard shows that renegade hackers are feeling their oats right now.
Meanwhile, attacks by organizations that claim to be acting privately raise important questions in cyberspace. After all, who believes that the attacks on Google emanating from China were completely independent from government influence?
"Whether governments drive these manipulations and activities covertly is open to debate, but it is likely enough that states will adopt a privateer model," warns McAfee. "Hacktivism as a diversion could be the first step in cyberwarfare."
Just how far into conflict could vigilante hacking that may or may not be state-sponsored lead America? In a small research facility in Tallinn, Estonia, called Cooperative Cyber Defence Centre of Excellence, a NATO lawyer named Eneken Tikk is working to develop policy defining just what cyberwar is, and just what kind of response a NATO member must take if another member comes under attack.
Can a cyber-attack elicit a physical response? Can it trigger NATO's mutual defense obligation? What if the next WikiLeaks-like organization manages to shut down power to parts of France or Germany, or to expose government secrets such as the location of military assets? Would the U.S. be required to respond?
The problem, she says, is when it comes to cyber-response, whom do you bomb? That's why the bar for a "kinetic" response to an electronic attack should remain high, she said, limited to "a cyber attack on a country's power networks or critical infrastructure (that) resulted in casualties and destruction comparable to an armed attack."
10. More Targeted Malware, backed by nation-states
We now know cyberwarfare can go pretty far. The Stuxnet virus broke new ground in the computer security world, as it was clearly designed to take down utility plants -- and may have been written to take down one particular plant in one particular part of the world.
In late November, Iranian President Mahmoud Ahmadinejad said that enemies of the country succeeded in "creating problems for a limited number of our centerfuges with software," admitting for the first time that Stuxnet had indeed hit what seemed to be its intended target. Of course, low-level cyberwar has been occurring for years, and the U.S. public knows precious little about many of these attacks. But it's hard to imagine a more successful cyberattack in history than Stuxnet. No one knows who created the virus, but the specialized knowledge required to write it points to very few organizations and governments. Clearly, the efforts are being repeated and imitated as you read this.
One specialized form of government-sponsored attack is something McAfee calls the "Advanced Persistent Threat," which has the ability to remain undetected for a long stretch of time and activate only when the attacking country sees the need. Who knows how many virus or bugs have been installed in vital computers around the world, back-doors and booby traps that are waiting for orders from headquarters. This kind of cyber cold war has been imaged for years, but McAfee thinks its time has arrived.
"There are numerous … attack teams located around the world, all with varying degrees of capabilities and expertise," the firm says. "… Some have access to massive amounts of resources (hardware, software, and human) and even traditional intelligence, surveillance and reconnaissance capabilities. Others borrow, steal or purchase ready-made tools offered and frequently used by established cybercriminal gangs and conduct themselves in a similar manner to gangs. McAfee warns that companies of all sizes that have any involvement in national security or major global economic activities should expect to come under pervasive and continuous … attacks that go after e-mail archives, document stores, intellectual property repositories and other databases."
In other words, it appears cyberspace is going to be much chillier in 2011.
(Wondering how I did with last year's predictions? Click here.)