Here are the predictions for the year 2013 for those of us in the security field.
- More pointless debates on full disclosure/non disclosure/selling 0day to governments or whatever. Our good friend @csoghoian will continue to demonize the 0day sellers such as VUPEN and @thegrugq who will continue not giving a flying monkeys.
- More “ERMAGHERD BLAME CHINA” nonsense, physician calling skript kiddie level phishing attacks involving poorly written remote admin tools and old exploits “Advanced Persistent Threats”. Some decent threat actors will pop up with some shiny 0days and cause a widespread pants-soiling as they 0day the hell out of some US defence contractors from .CN subnets and generally make AV firms a shedload of money.
- More passwords will be leaked as script kiddies with Havij and SQLmap pop large websites who still do not think SQL injection is a thing. Groups such as “Anonymous” and their offshoots will proliferate, purchase with several “wannabe lulzsec” scrublords making a bit of a mess.
- More holes in Java, Adobe, and IE. Lots of holes. AV firms will capitalize on these to sell “ENTERPRISE SECURITY” products to people.
- More SCADA vulnerabilities will be touted which will cause “OMG HACKERS CAN HIJACK POWER PLANTS” headlines.
- The good people at Attrition will expose a literal buttload of Charlatans and said charlatans will be laughed at.
- Kaspersky will find some more malware, probably in Iran, and make headlines about the mythical “Cyberwar” thing. Kaspersky will make more money and press.
- We will see more shitty XSS posted on Full Disclosure. ESPECIALLY by “Vulnerability Lab”.
- I am going to wake up on the first day of 2013 and post a pretty cool proof of concept exploit, as per tradition. I will possibly be laughed at for how simple it is, and someone, somewhere, will facepalm for not figuring it out first.
- I dropped my crystal future seeing ball, sorry.
And, those are our predictions. I am betting a pint on those, so they better bloody well be right.