Discussion:
[funsec] threats abound for 2010 what shall we do, oh my!
RandallM
2009-12-30 20:24:47 UTC
Permalink
Lets have some fun-sec FUN:

McAfee put out top predictions for 2010. Based on these are any you can add,
what mitigation efforts or proactive measures can
individuals and company's do?


• Social networking sites such as Facebook will face more sophisticated
threats as the number of
users grows.
• The explosion of applications on Facebook and other services will be an
ideal vector for cybercriminals,
who will take advantage of friends trusting friends to click links they
might otherwise treat cautiously.
• HTML 5 will blur the line between desktop and online applications. This,
along with the release of
Google Chrome OS, will create another opportunity for malware writers to
prey on users.
• Email attachments have delivered malware for years, yet the increasing
number of attacks targeted
at corporations, journalists, and individual users often fool them into
downloading Trojans and
other malware.
• Cybercriminals have long picked on Microsoft products due to their
popularity. In 2010, we anticipate
Adobe software, especially Acrobat Reader and Flash, will take the top spot.
• Banking Trojans will become more clever, sometimes interrupting a
legitimate transaction to make an
unauthorized withdrawal.
• Botnets are the leading infrastructure for cybercriminals, used for
actions from spamming to identity
theft. Recent successes in shutting down botnets will force their
controllers to switch to alternate, less
vulnerable methods of command, including peer-to-peer setups.
• In spite of the worldwide scope of botnets, we anticipate even more
successes in the fight against all
forms of cybercrime in 2010.
--
been great, thanks
RandyM
a.k.a System
Tomas L. Byrnes
2009-12-30 21:07:41 UTC
Permalink
What, the left-baiting I just engaged in wasn't fun ;-)



I'd add that it's the year Network Security becomes a regulated
profession, so certification becomes mandatory.



From: funsec-***@linuxbox.org [mailto:funsec-***@linuxbox.org]
On Behalf Of RandallM
Sent: Wednesday, December 30, 2009 12:25 PM
To: funsec
Subject: [funsec] threats abound for 2010 what shall we do, oh my!



Lets have some fun-sec FUN:

McAfee put out top predictions for 2010. Based on these are any you can
add, what mitigation efforts or proactive measures can
individuals and company's do?


* Social networking sites such as Facebook will face more sophisticated
threats as the number of
users grows.
* The explosion of applications on Facebook and other services will be
an ideal vector for cybercriminals,
who will take advantage of friends trusting friends to click links they
might otherwise treat cautiously.
* HTML 5 will blur the line between desktop and online applications.
This, along with the release of
Google Chrome OS, will create another opportunity for malware writers to
prey on users.
* Email attachments have delivered malware for years, yet the increasing
number of attacks targeted
at corporations, journalists, and individual users often fool them into
downloading Trojans and
other malware.
* Cybercriminals have long picked on Microsoft products due to their
popularity. In 2010, we anticipate
Adobe software, especially Acrobat Reader and Flash, will take the top
spot.
* Banking Trojans will become more clever, sometimes interrupting a
legitimate transaction to make an
unauthorized withdrawal.
* Botnets are the leading infrastructure for cybercriminals, used for
actions from spamming to identity
theft. Recent successes in shutting down botnets will force their
controllers to switch to alternate, less
vulnerable methods of command, including peer-to-peer setups.
* In spite of the worldwide scope of botnets, we anticipate even more
successes in the fight against all
forms of cybercrime in 2010.
--
been great, thanks
RandyM
a.k.a System
V***@vt.edu
2009-12-30 21:22:02 UTC
Permalink
Post by Tomas L. Byrnes
I'd add that it's the year Network Security becomes a regulated
profession, so certification becomes mandatory.
At best, you're going to see a requirement of certification by 2013 or so. They
aren'tgoing to agree on a cert in under a year. And then you need a ramp-up
time.
Hubbard, Dan
2009-12-30 22:54:19 UTC
Permalink
Regulated by who? And who is "they" who are agreeing on it?

Forget security, is there really ANY info-technology certification that is a mandated requirement today?











-----Original Message-----
From: funsec-***@linuxbox.org [mailto:funsec-***@linuxbox.org] On Behalf Of ***@vt.edu
Sent: Wednesday, December 30, 2009 1:22 PM
To: Tomas L. Byrnes
Cc: funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!
Post by Tomas L. Byrnes
I'd add that it's the year Network Security becomes a regulated
profession, so certification becomes mandatory.
At best, you're going to see a requirement of certification by 2013 or so. They aren'tgoing to agree on a cert in under a year. And then you need a ramp-up time.



Protected by Websense Hosted Email Security -- www.websense.com
Tomas L. Byrnes
2009-12-31 00:51:40 UTC
Permalink
Congress is debating a law that would require licensing of Infosec
professionals:

http://datasecurityblog.wordpress.com/2009/08/28/cybersecurity-act-is-fe
deral-infosec-license-key-to-net-control/

Except in certain jurisdictions (MI FE) where doing forensics or other
investigations requires a private investigators license:

http://www.myharddrivedied.com/weblog/michigan_to_require_cissp_f.html

There is no current requirement, but that is changing.



-----Original Message-----
From: Hubbard, Dan [mailto:***@websense.com]
Sent: Wednesday, December 30, 2009 2:54 PM
To: '***@vt.edu'; Tomas L. Byrnes
Cc: funsec; RandallM
Subject: RE: [funsec] threats abound for 2010 what shall we do, oh my!

Regulated by who? And who is "they" who are agreeing on it?

Forget security, is there really ANY info-technology certification that
is a mandated requirement today?











-----Original Message-----
From: funsec-***@linuxbox.org [mailto:funsec-***@linuxbox.org]
On Behalf Of ***@vt.edu
Sent: Wednesday, December 30, 2009 1:22 PM
To: Tomas L. Byrnes
Cc: funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!
Post by Tomas L. Byrnes
I'd add that it's the year Network Security becomes a regulated
profession, so certification becomes mandatory.
At best, you're going to see a requirement of certification by 2013 or
so. They aren'tgoing to agree on a cert in under a year. And then you
need a ramp-up time.



Protected by Websense Hosted Email Security -- www.websense.com
Paul Ferguson
2009-12-31 01:22:42 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
Congress is debating a law that would require licensing of Infosec
http://datasecurityblog.wordpress.com/2009/08/28/cybersecurity-act-is-fe
deral-infosec-license-key-to-net-control/
Except in certain jurisdictions (MI FE) where doing forensics or other
http://www.myharddrivedied.com/weblog/michigan_to_require_cissp_f.html
There is no current requirement, but that is changing.
But this is only for "InfoSec Professionals" which work on/in/with Federal
Networks, etc., not private industry (unless contracted to the Fed).

Plus, I see this as folly, since "certifications" are a ruse, and are
certainly no evidence of capability, capacity, or expertise.

Also, I see that the Fed is already having problem finding people who want
a salary cut, has a security clearance, and want to be enveloped in a
bureaucratic quagmire:

"U.S. Struggles to Recruit Computer Security Experts"
http://www.washingtonpost.com/wp-dyn/content/article/2009/12/22/AR200912220
3789.html

Cheers,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLO/zaq1pz9mNUZTMRAvjAAKC1iUtR0TOtgoTxuosCHmOhu8bm3QCg9XFW
ItMjolJL2+SKu0sk4TmiG48=
=aZTR
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Tomas L. Byrnes
2009-12-31 01:44:00 UTC
Permalink
I never said it was a good idea. I merely predicted it would come to
pass.

Most of the other things on that list are not exactly desirable.



-----Original Message-----
From: Paul Ferguson [mailto:***@gmail.com]
Sent: Wednesday, December 30, 2009 5:23 PM
To: Tomas L. Byrnes
Cc: Hubbard, Dan; ***@vt.edu; funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
Congress is debating a law that would require licensing of Infosec
http://datasecurityblog.wordpress.com/2009/08/28/cybersecurity-act-is-fe
Post by Tomas L. Byrnes
deral-infosec-license-key-to-net-control/
Except in certain jurisdictions (MI FE) where doing forensics or other
http://www.myharddrivedied.com/weblog/michigan_to_require_cissp_f.html
There is no current requirement, but that is changing.
But this is only for "InfoSec Professionals" which work on/in/with
Federal
Networks, etc., not private industry (unless contracted to the Fed).

Plus, I see this as folly, since "certifications" are a ruse, and are
certainly no evidence of capability, capacity, or expertise.

Also, I see that the Fed is already having problem finding people who
want
a salary cut, has a security clearance, and want to be enveloped in a
bureaucratic quagmire:

"U.S. Struggles to Recruit Computer Security Experts"
http://www.washingtonpost.com/wp-dyn/content/article/2009/12/22/AR200912
220
3789.html

Cheers,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLO/zaq1pz9mNUZTMRAvjAAKC1iUtR0TOtgoTxuosCHmOhu8bm3QCg9XFW
ItMjolJL2+SKu0sk4TmiG48=
=aZTR
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Paul Ferguson
2009-12-31 01:48:05 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
I never said it was a good idea. I merely predicted it would come to
pass.
Right -- and I said that it does not apply to private industry which is
arguably where most of the top-notch cyber security talent is anyway,so it
is a Red Herring of the highest order. :-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPALQq1pz9mNUZTMRAgR/AJ97atY4fJQ3XG7EUBLCGvKksPhJ9gCeJ+gd
MHlzjCwivMlFZkzdSCVMpj4=
=CnzM
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Tomas L. Byrnes
2009-12-31 01:53:14 UTC
Permalink
The PI license requirement in MI is universal, applying to any forensic
examination. AFAIK NC has the same legislation pending.

So, it does apply to private industry, as it will to any federal prime
or sub contractor (which, AFAIK, includes Trend).

Given that government contracting is the only growth industry out there
right now, the "do business with the feds" requirement pretty much makes
it a must have for anyone who really wants to work in the field.

Once again, not in favor, just predicting. I, for one, am finally going
to go waste billable hours getting certs (something I can ill afford to
do).


-----Original Message-----
From: Paul Ferguson [mailto:***@gmail.com]
Sent: Wednesday, December 30, 2009 5:48 PM
To: Tomas L. Byrnes
Cc: Hubbard, Dan; ***@vt.edu; funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
I never said it was a good idea. I merely predicted it would come to
pass.
Right -- and I said that it does not apply to private industry which is
arguably where most of the top-notch cyber security talent is anyway,so
it
is a Red Herring of the highest order. :-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPALQq1pz9mNUZTMRAgR/AJ97atY4fJQ3XG7EUBLCGvKksPhJ9gCeJ+gd
MHlzjCwivMlFZkzdSCVMpj4=
=CnzM
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Paul Ferguson
2009-12-31 02:01:54 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
The PI license requirement in MI is universal, applying to any forensic
examination. AFAIK NC has the same legislation pending.
So, it does apply to private industry, as it will to any federal prime
or sub contractor (which, AFAIK, includes Trend).
I've been personally asked by Federal Law Enforcement on several occasions
to assist on cyber crime issues -- I submit to you that will not change,
regardless what of whatever farcical certification issues crop up.
Post by Tomas L. Byrnes
Given that government contracting is the only growth industry out there
right now, the "do business with the feds" requirement pretty much makes
it a must have for anyone who really wants to work in the field.
Once again, not in favor, just predicting. I, for one, am finally going
to go waste billable hours getting certs (something I can ill afford to
do).
I won't waste my time, since I probably help define any silly
"certification" process just by being a pioneer in the field, so to speak.
:-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPAYLq1pz9mNUZTMRAoAXAJ0ZudLGeS9WCspOYMovDEX6/CtocACfauqF
X8zC+pQk+xcsvt1B4R0Y/EY=
=VSEn
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Tomas L. Byrnes
2009-12-31 02:58:48 UTC
Permalink
Paul, this isn't about you, or Dan, or realistically about me (although,
since ThreatSTOP just signed up a large county government in MI with
more revenue than it costs for me to take the dang test, I'm going to
take the test to check the box), it's about the future of our craft.

Sure, you're going to get grandfathered, the same way you wouldn't have
to go through the JFK SW school if you went back in; or they'd make me
rerun pathfinder, RIP, or any of the other "superseded" schools; or
require that either of us go through any form of "CND" orientation. Our
sad sack old butts would still have to pass PT, but that's making the
standard, not proving we know what we're doing.

Doesn't mean that the world isn't a changing for the new guys, and not
for the better (and that the shortage of "qualified" people won't get
worse).

All I'm sayin is: ya wanna play, they gonna make ya pay. I donna like
it, I don't think it's productive, but the regulators have taken over,
the government is the only source of new cash, and tilting at windmills
doesn't pay the bills.



-----Original Message-----
From: Paul Ferguson [mailto:***@gmail.com]
Sent: Wednesday, December 30, 2009 6:02 PM
To: Tomas L. Byrnes
Cc: Hubbard, Dan; ***@vt.edu; funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
The PI license requirement in MI is universal, applying to any
forensic
Post by Tomas L. Byrnes
examination. AFAIK NC has the same legislation pending.
So, it does apply to private industry, as it will to any federal prime
or sub contractor (which, AFAIK, includes Trend).
I've been personally asked by Federal Law Enforcement on several
occasions
to assist on cyber crime issues -- I submit to you that will not
change,
regardless what of whatever farcical certification issues crop up.
Post by Tomas L. Byrnes
Given that government contracting is the only growth industry out there
right now, the "do business with the feds" requirement pretty much makes
it a must have for anyone who really wants to work in the field.
Once again, not in favor, just predicting. I, for one, am finally going
to go waste billable hours getting certs (something I can ill afford to
do).
I won't waste my time, since I probably help define any silly
"certification" process just by being a pioneer in the field, so to
speak.
:-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPAYLq1pz9mNUZTMRAoAXAJ0ZudLGeS9WCspOYMovDEX6/CtocACfauqF
X8zC+pQk+xcsvt1B4R0Y/EY=
=VSEn
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Paul Ferguson
2009-12-31 03:18:04 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
All I'm sayin is: ya wanna play, they gonna make ya pay. I donna like
it, I don't think it's productive, but the regulators have taken over,
the government is the only source of new cash, and tilting at windmills
doesn't pay the bills.
And that is why the Bad Guys will win.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPBfoq1pz9mNUZTMRAjMNAKCHdv3rThQOc3O7xJyFjTkXW0QPEACgg3WD
Ro6UPHsKKsYcZnkulJov1uU=
=Fd4I
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Tomas L. Byrnes
2009-12-31 03:24:17 UTC
Permalink
Nah, they still gotta deal with us Old Ones ;-)



-----Original Message-----
From: Paul Ferguson [mailto:***@gmail.com]
Sent: Wednesday, December 30, 2009 7:18 PM
To: Tomas L. Byrnes
Cc: Hubbard, Dan; ***@vt.edu; funsec; RandallM
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Tomas L. Byrnes
All I'm sayin is: ya wanna play, they gonna make ya pay. I donna like
it, I don't think it's productive, but the regulators have taken over,
the government is the only source of new cash, and tilting at
windmills
Post by Tomas L. Byrnes
doesn't pay the bills.
And that is why the Bad Guys will win.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLPBfoq1pz9mNUZTMRAjMNAKCHdv3rThQOc3O7xJyFjTkXW0QPEACgg3WD
Ro6UPHsKKsYcZnkulJov1uU=
=Fd4I
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
Joel Esler
2009-12-31 13:54:50 UTC
Permalink
Post by Paul Ferguson
Post by Tomas L. Byrnes
Congress is debating a law that would require licensing of Infosec
http://datasecurityblog.wordpress.com/2009/08/28/cybersecurity-act-is-fe
deral-infosec-license-key-to-net-control/
[...]
Post by Paul Ferguson
Plus, I see this as folly, since "certifications" are a ruse, and are
certainly no evidence of capability, capacity, or expertise.
Here here. Glad someone agrees with me. I think certifications are not
without their merit, as it proves "at one time, during this period in time,
this person knew something. If that information is still there, we don't
know".

If you can bootcamp a cert, it's not worth having.
--
Joel Esler | 302-223-5974 | gtalk: ***@sourcefire.com
Matt Watchinski
2009-12-31 01:40:21 UTC
Permalink
I'll play on all fronts, predictions, left-baiting, and proactive measures.

Additional predictions

1. Don't leave Apple off the Adobe train.
2. Critical Infrastructure as a political weapon will result in mass
hilarity and security theater. I'll go as far as saying fark will need a
new Florida tag for articles on this topic.
3. SmartPhones become a viable target for criminals.

Mitigation efforts

1. Re-think your soft spots. Microsoft won't be your major pain in 2010,
its going to be the other 3rd party apps that everyone runs in your
organization. If you don't have a good strategy for patching / updating
these other apps in your organization, its time to find one.

2. Find tools and new solutions for the Social networking problems. No
current security solution does a ton of inspection of this type of traffic,
however, there are a lot of tools that can identify Facebook app usage,
attempt to block some of it, and understand some other Web 2.0 widgets.
Start off simple, just identifying these types of applications and there
usage on your network, then move onto actually doing something with it.
Simple tools like snort or tcpdump can get this type of data.

3. Lay traps, if your organization has a security team and all they do is
sit around and watch the IDS logs / AV logs / and clean-up infected
machines, then they are being lazy. One of the great things you can do is
lay traps especially if you know something about your network. If you know
that everyone uses Internet Exploder then write something that looks for
User-Agent strings that aren't IE, put something on the email server that
counts the number of PDF files you receive everyday, average it, and go
looking when it changes.

Left-Baiting and Right-Baiting

1. Mandatory Certification for Network Security is the most laughable thing
I've heard in a long time. If this comes to pass I'm joining the money
train associated with it, with Exam prep books, learning software, and other
ways to pass it and not learn anything.

2. One more prediction to add to the baiting, not 100% network security
related. Deployment of full body scanners at Airports will result in the
best celebrity photos leaked to your favorite trash magazine in the grocery
store.

Cheers,
-matt
What, the left-baiting I just engaged in wasn’t fun ;-)
I’d add that it’s the year Network Security becomes a regulated profession,
so certification becomes mandatory.
Behalf Of *RandallM
*Sent:* Wednesday, December 30, 2009 12:25 PM
*To:* funsec
*Subject:* [funsec] threats abound for 2010 what shall we do, oh my!
McAfee put out top predictions for 2010. Based on these are any you can
add, what mitigation efforts or proactive measures can
individuals and company's do?
• Social networking sites such as Facebook will face more sophisticated
threats as the number of
users grows.
• The explosion of applications on Facebook and other services will be an
ideal vector for cybercriminals,
who will take advantage of friends trusting friends to click links they
might otherwise treat cautiously.
• HTML 5 will blur the line between desktop and online applications. This,
along with the release of
Google Chrome OS, will create another opportunity for malware writers to
prey on users.
• Email attachments have delivered malware for years, yet the increasing
number of attacks targeted
at corporations, journalists, and individual users often fool them into
downloading Trojans and
other malware.
• Cybercriminals have long picked on Microsoft products due to their
popularity. In 2010, we anticipate
Adobe software, especially Acrobat Reader and Flash, will take the top spot.
• Banking Trojans will become more clever, sometimes interrupting a
legitimate transaction to make an
unauthorized withdrawal.
• Botnets are the leading infrastructure for cybercriminals, used for
actions from spamming to identity
theft. Recent successes in shutting down botnets will force their
controllers to switch to alternate, less
vulnerable methods of command, including peer-to-peer setups.
• In spite of the worldwide scope of botnets, we anticipate even more
successes in the fight against all
forms of cybercrime in 2010.
--
been great, thanks
RandyM
a.k.a System
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
David Lodge
2009-12-31 11:42:41 UTC
Permalink
On Thu, 31 Dec 2009 01:40:21 -0000, Matt Watchinski
Post by Matt Watchinski
2. One more prediction to add to the baiting, not 100% network security
related. Deployment of full body scanners at Airports will result in the
best celebrity photos leaked to your favorite trash magazine in the grocery
store.
Agreed, and we will probably hear somebody seriously suggest that people
ought to fly naked after the next attack.
G. D. Fuego
2009-12-31 13:11:44 UTC
Permalink
Post by David Lodge
On Thu, 31 Dec 2009 01:40:21 -0000, Matt Watchinski
Post by Matt Watchinski
2. One more prediction to add to the baiting, not 100% network security
related. Deployment of full body scanners at Airports will result in the
best celebrity photos leaked to your favorite trash magazine in the grocery
store.
Agreed, and we will probably hear somebody seriously suggest that people
ought to fly naked after the next attack.
Hey, some people pay extra for the priveledge.

http://us.mobile.reuters.com/mobile/m/AnyArticle/p.rdt?URL=http://www.reuters.com/article/idUSL2975435320080129
The Security Community
2009-12-31 14:08:14 UTC
Permalink
Has anyone bothered to check the predictions of 2009 against reality?

As I recall, McAfee, et. al. predicted that massive numbers of
unemployed IT workers would turn to cybercrime. If this ever came to
pass, it never made the news as far as I can tell.

Here is one such prediction, from 12/2008...

http://www.silicon.com/management/cio-insights/2008/12/11/jobless-techies-turning-to-crime-39363838/

---quote---

"Impoverished techies and IT workers who have been made redundant will
go rogue in 2009, selling corporate data and using crimeware, reports
predict.

"The credit crunch will drive IT workers to increasingly use their
skills to steal credit card data using phishing attacks and to abuse
their privileged corporate computer access to sell off valuable
financial and intellectual information, forensic experts have warned."

---/quote---
V***@vt.edu
2009-12-31 15:59:36 UTC
Permalink
Post by The Security Community
As I recall, McAfee, et. al. predicted that massive numbers of
unemployed IT workers would turn to cybercrime. If this ever came to
pass, it never made the news as far as I can tell.
How would we tell?
Tomas L. Byrnes
2009-12-31 18:21:27 UTC
Permalink
The improved code quality of malware, as well as the rapid adoption of
new features of web browsers, and demonstrated better understanding of
networking (advertising unused more specific routes via BGP for
transient hosting, fast-flux DNS), over the past decade indicate to me
that this is at least partly true.

-----Original Message-----
From: funsec-***@linuxbox.org [mailto:funsec-***@linuxbox.org]
On Behalf Of ***@vt.edu
Sent: Thursday, December 31, 2009 8:00 AM
To: The Security Community
Cc: funsec
Subject: Re: [funsec] threats abound for 2010 what shall we do, oh my!
Post by The Security Community
As I recall, McAfee, et. al. predicted that massive numbers of
unemployed IT workers would turn to cybercrime. If this ever came to
pass, it never made the news as far as I can tell.
How would we tell?
The Security Community
2009-12-31 18:25:47 UTC
Permalink
Post by V***@vt.edu
Post by The Security Community
As I recall, McAfee, et. al. predicted that massive numbers of
unemployed IT workers would turn to cybercrime.  If this ever came to
pass, it never made the news as far as I can tell.
How would we tell?
Look for news stories about unemployed IT workers, I guess.

Here's a 2009 story about an angry, unemployed IBMer...

http://macombdaily.com/articles/2009/04/03/news/doc49d64ee937c92152544978.txt

Unemployed UNC IT worker (October 2009)...

http://www.charlotteobserver.com/local/story/998552.html

Mostly we find stories about gainfully employed IT workers who are crooks...

http://dealbook.blogs.nytimes.com/2009/11/13/2-programmers-charged-with-aiding-madoff/

Anyway, it doesn't look like that prediction panned out. If it had,
the Nostradumbasses would be patting themselves on the back and
predicting more of it for 2010.

der Mouse
2009-12-31 13:33:26 UTC
Permalink
[W]e will probably hear somebody seriously suggest that people ought
to fly naked after the next attack.
Now _that_ might even get me back on planes. (I have little-to-no body
modesty on my own account; it's something I observe to avoid disturbing
others. And I like shaking up established habits - where, as in this
case, I see the disruption as basically harmless.)

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
David Harley
2009-12-31 10:21:28 UTC
Permalink
Based on these are any you can add, what mitigation efforts
or proactive measures can individuals and company's do?
Not based on anything but cynicism. But it amused me anyway.

http://www.eset.com/threat-center/blog/2009/12/30/top-ten-trite-security-pre
dictions

--
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence, ESET
Drsolly
2009-12-31 15:54:03 UTC
Permalink
Post by David Lodge
On Thu, 31 Dec 2009 01:40:21 -0000, Matt Watchinski
Post by Matt Watchinski
2. One more prediction to add to the baiting, not 100% network security
related. Deployment of full body scanners at Airports will result in the
best celebrity photos leaked to your favorite trash magazine in the
grocery
store.
Agreed, and we will probably hear somebody seriously suggest that people
ought to fly naked after the next attack.
If god had meant people to fly clothed, we wouldn't be born naked.

Speaking of which ...

Have you seen the Alpha survey on http:/www.alpha.org ?

"Does god exist, "Yes, no, probably" are the options.

The current vote is 95% "No"

Which is quite surprising, for a pro-christianity site. Possibly a
miracle, even.
Drsolly
2009-12-31 15:57:31 UTC
Permalink
Post by der Mouse
[W]e will probably hear somebody seriously suggest that people ought
to fly naked after the next attack.
Now _that_ might even get me back on planes. (I have little-to-no body
modesty on my own account; it's something I observe to avoid disturbing
others. And I like shaking up established habits - where, as in this
case, I see the disruption as basically harmless.)
You could charg a premium for all-naked flights, based on the improved
security it brings. But you'd allow people to wear blindfolds once
boarded, so they didn't have to see horrible sights all through the
flight.

And the captain would be allowed to wear a hat.
Loading...