This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Christoph Alme, Paula Greve, and François Paget.
In spite of advanced attacks of various types, malware, and other concerns, the web remains the primary threats vector. Whether we browse via Android, iOS, Windows, Mac, or other means, free open-source analytic tools can allow almost anyone to learn too much about us and use that information to entice us “click that link.” We have learned to avoid many of these temptations, but two things remain true in security: As features evolve, new threats are quick to arise; and as we adapt detection and takedown capabilities, the bad guys are just as agile in adapting their methods. We anticipate an increase in threats next year in three main areas: HTML5, exploit kits, and “free” software.
The biggest story in feature evolution is HTML5, which allows websites to come alive with interaction, personalization, and rich capabilities for programmers. But HTML5 also allows a significant number of new ways to snoop on users and exploit the system. Using HTML5, researchers have already shown how one could identify a user’s browser history to better target ads. Once the HTML5 adoption is complete, we expect to see similar abuses of HTML5 to enable access to the device—breaching the browser sandbox. With the spread of “app friendly” devices—and HTML5 embedded not just in web pages but within the apps as well—hackers will gain as much access to a user’s world as they could desire. We expect HTML5 abuses to become as commonplace as any of the exploit kits will allow.
Speaking of exploit kits, this past year showed us that they are the best tool for infecting users’ machines. We expect that the bad guys will continue to invest in the development and sharing of kits such as Blackhole. As the security industry continues to better detect and respond to newly registered domains set up for a malicious purpose, the criminals will focus efforts on evolving exploit kits to successfully insert malicious code and redirection components into legitimate web sites. Given the dynamic nature of content hosting, short URLs, and dynamic page content, these infected pages may have a longer time to live and become more valuable to attackers. Thus we will see continued evolution of attacking not only the browsers, but the servers as well.
In 2014, users and administrators will face a greater challenge from “free” products. Some say if you don’t pay for a product, you are the product. We have become accustomed to getting awesome apps—for free—with excellent features that make our lives easier—for free—and even security services—for free. But all of these services and apps cost money, and their developers must pay for them by selling ads, selling our information, or making us buy other things. This need has led to significant shades of gray between “information-stealing malware” and “making-our-lives-easier utilities.” In the security industry, we already see increased pressure from developers to reclassify their potentially unwanted programs and adware as legitimate software. During the course of 2014, an event (data breach, data leak, a company using customer information just a little too broadly) will occur that will make the public fully aware of how much of their data is exposed and could be inferred. This event and its fallout will challenge some of the freemium models that society has come to expect–and waking up the general public to how much of a “right” they have to fully understand and control their “big data footprint” and what conveniences they would be willing to give up to make it smaller.
Our desire for more and better features exposes us to greater risks, more open-source options help not just developers and researchers but also cybercriminals, and convenience and cost battle with privacy and security. In 2014 we will see the full impact of these tradeoffs.