Saturday, December 22, 2012

Predictions for 2013

After our successful predictions for 2012 (we predicted the Mayans were probably wrong), we thought we'd make predictions for 2013.

Vulns will be found in PDF, Flash, and Java

There are vulnerabilities in Acrobat Reader, Adobe Flash, and Java today that will be announced and patched in 2013. Update: Because the twitterati tricked me into it, I'll shave my head if this prediction fails. Update: On January 10, an 0day was announced in Java. Two to go. Update: It's February 13, and some Flash 0days have been patched, as well as some more Java 0days.

Defenders will be surprised by exploits in PDF, Flash, and Java

Information technology departments will continue to manage the network as if exploitation of PDF, Flash, and Java is not an important threat. Desktops will continue to be on the "insides" of the network with access to everything, instead of being firewalled off. After a massive breach, they will change anti-virus vendors, still believing that anti-virus works as long as you choose the right anti-virus.

Defenders will be surprised by exploitation of SQL injection

Information technology departments will still not pressure consultants and vendors to take responsibility for SQL injection. They will still not institute policies like "no code on servers that pastes strings together instead of using parameterized queries". They will continue stages of denial, like "it requires a password therefore hackers can't get to it".

Blame it on the Chinese

Everyone will continue to hype the threat of Chinese hackers. Defenders will excuse their failings to lock down desktops and stop SQL injection by claiming "you can't expect me to defend against state sponsored hacking". The NSA/military/bureaucrats will hype the Chinese threats to pass laws giving them more access to your information, and giving you less access to government information.

...and more of 2012

Like we said last year, vendors and con presenters will push the cloud, SCADA, cyberwar, hacktivism angles. Moreover, we increase our odds to 85% that that the Mayan apocalypse will not happen.


Anonymous said...


Robert Graham said...

In case people are curious about the above comment, it's because the original text said "Mayan's" instead of "Mayan". I edited the text to fix this, so you can't see it anymore.

Of course, I consciously know the difference, in my head. But what my fingers type differs a lot from what I'm thinking. Worse yet, I can't "see" what I've written without a lot of time passing, so no matter how much I edit the text, I can't see the flaw. Thus, my posts go out with a lot of really simple errors.

Kwpolska said...

Mayans weren’t technically wrong. They did not say “World ends on what you call 2012-12-21”. They just ran out of stone/need/… for a calendar. Do you have an analog, paper calendar around? Look at it. Depending on how generous was its creator and what year it is for, it ends in somewhere between 8, 39 (2013-01-31, some calendars do that), 373 (2013-12-31), or 404 days (2014-01-31, but I think that would result in a 404 on your desk, and mine; I don’t have any analog calendars for 2013 and do not plan to get one!) OH SHIT END OF THE WORLD. This same way of thinking was used by the idiots who invented this apocalypse bullshit (New Age morons or something like that). Better yet: there is virtually no chance of apocalypse happening throughout the course of our lives. Unless we invent some magic that would let us live forever soon. Hint: we won’t.

George said...

If you predicted that no vulnerabilities would be found in PDF and flash, I'd be more impressed.

mokum von Amsterdam said...

Got some for ya:
- Internet brainiacs surprised over marginal IPv6 adaptation
- Most calls & SMS still over 2G with laughable 'security'
- Microsoft bosses in panic over worst adopted NT version ever
- Trendsetters struggling since Apple loosing edge but no alternative
- Defenders surprised by more mass [md5] pwd dumps
- TelCo's caught off guard by malicious apps abusing premium SMS's
- Cellphone users riot over billing of data transfer never received
- VoIP fraud on the rise
- Yet another issue with certificates
- DNSSEC causes more problems then solutions
- Large companies found to be infected to an unclean able level
- 16 year olds selling permanent access to said companies
- Government study finds AV is not a silver bullet
- Updates of software largely postponed due to fragility by complex or lacking design
- Governments looking for more control over Internet
- 'Anon' VPN providers under scrutiny
- Key disclosure laws proposed in most Western countries [rubber hose technique applied in other]
- Hippy finds flaw in interpretation of Mayan calender: world will come to an end next year.

Devin said...

And, mark Java down for list of 2013 Vulnerabilities.

Unknown said...
This comment has been removed by a blog administrator.