The Year That Didn't Happen: 2012's Incorrect Security Predictions
CREDIT: Damon Carter/Shutterstock.com
Before we rush into 2013, let's take a moment to see to see what digital-security experts got wrong in 2012.
No year-end review is complete without looking at all the things that didn't happen. Looking over security predictions that were made for 2012, it's clear that most of the predictions were more or less on target, but there were still a handful of misses.
Some of the flubs were because anticipated technology changes, such as a wholesale shift to Internet Protocol version 6 (IPv6), just didn't happen.
There were other cases where experts' predictions did come to pass, but not quite to the extent or in the manner they'd expected.
Predictions may be based on observed trends and patterns, but they're still guesses, not guarantees.
"How'd we do? Overall, pretty well," said Rob Rachwald, director of security strategy at Imperva in Redwood Shores, Calif., even as he acknowledged some misses.
All your files are belong to us
A year ago, security experts agreed on the issues that would dominate 2012, such as the continued rise of mobile malware, an increase in the number of hacktivist attacks, more attacks on digital certificates and the Domain Name System infrastructure and attackers targeting users via social media.
However, the sudden explosion of ransomware came as a surprise.
"Ransomware fell in the 'trend we did not predict,'" Richard Wang, manager of SophosLabs USA in Burlington, Mass., told TechNewsDaily.
Ransomware, a relatively new twist on scareware, involves criminals infecting computers, encrypting or otherwise locking up the files and then demanding users pay ransoms to retrieve their data.
In its most recent "police Trojan" form, ransomware pretends to come from the FBI or another law-enforcement agency and demands "fines" in exchange for not prosecuting the victim for possessing pornography.
More typical scareware, such as fake anti-virus alerts, had been on a decline as potential victims began to learn how to recognize the rogue software, Wang said. But ransomware's spike changed that.
To their credit, researchers at Websense in San Diego had predicted that fake anti-virus attacks would "stage a comeback" in 2012, but they also hadn't expected to see ransomware proliferate.
"While most of the victims have been individuals, rather than corporations, the potential for greater exploitation will increase," said Chris Astacio, manager of security research at Websense.
HTML5 fails to materialize
Some predictions missed because the underlying technology wasn't widely adopted.
HTML5, the new Web-browser standard intended to replace Flash and other plug-in multimedia software, was supposed to dominate the Web by the end of 2012.
Developers were supposed to abandon plug-ins in favor of the "build once, use everywhere" promise. But while there were some great strides in HTML5 adoption this year, the anticipated shift did not live up to the hype.
"A miss, though not a big miss," Rachwald said, explaining why Imperva's predictions about an increase in attacks against HTML5 did not come about.
It would have been a golden opportunity for hackers, too.
"It's much more cost-effective to create a cross-browser exploit than to create an exploit aimed at a specific one. The ubiquity of HTML5 provides them with just that," Rachwald said a year ago.
Some issues involving HTML5 did crop up. At the BlackHat 2012 conference in Las Vegas this past summer, a pair of researchers demonstrated how a malicious website written in HTML5 could be used to push a rogue firmware update onto the user's network router and thus take over the user's local network.
… as do IPv6 and digital wallets
HTML5 wasn't the only technology that flopped in 2012.
With the world's supply of Internet Protocol version 4 addresses running out, and the semi-official implementation of its replacement, IPv6, some experts thought IPv6 adoption would soar.
And with more computers on IPv6, criminals would launch more attacks and malware against the new networking standard, experts predicted.
But despite the second annual World IPv6 Day in June, during which many organizations formally switched their websites, IPv6 still failed to catch on.
"Slower uptake of these technologies means they have been a less attractive target for attackers," said Wang.
Then there were mobile payment technologies such as Google Wallet. Sophos, among others, had predicted attacks against such "digital wallets." But while there was a lot of industry interest, consumers weren't as eager to adopt general-purpose mobile payments, Wang noted.
Without a large group of potential victims to attack, criminals ignored digital wallets. Even now, only a handful of phones have the necessary near-frequency communications (NFC) chips, so exploitation is in the "still waiting" bucket.
Social-media credentials remain unsold, data still unprotected
Social-media attacks were big in 2012, as criminals used Twitter, Pinterest, Facebook, Tumblr and a slew of other social-networking platforms to craft and launch attacks.
Websense researchers had predicted cyber-criminals would begin to buy and sell social-media credentials in underground forums, as they already do with credit-card numbers.
"Social identity may prove more valuable to cybercriminals than your credit cards," Websense had said.
But while there were indeed some social-media credentials for sale in various carding forums in 2012, they seemed to be more of a side endeavor.
Gangs using the Zeus banking Trojan "opened clearinghouses of social credentials they gathered incidentally from their search for online banking logins," Astacio said.
Social currency is valuable, and the volume of sales still has a ways to go before it can match credit-card data, but "the potential is still high for the acceleration of this activity," Astacio said.
With ordinary people increasingly aware of how much personal data was being collected about them, it seemed natural to expect that companies would change how they handled it, according to predictions from the experts at Identity Theft 911 in Scottsdale, Ariz.
They expected businesses would start thinking about privacy and security from the outset, but despite some well-publicized data breaches, "it didn't quite happen to the extent hoped for," said Brian McGinley, senior vice-president of data risk management at IDT911.
McGinley noted that there were some promising signs, such as Facebook's efforts to makes its privacy settings easier to follow.
Few election-day shenanigans
In 2012, Internet attacks took an increasingly political slant, as hacktivist groups resorted even more to distributed denial-of-service attacks and deliberate data breaches as forms of protest. But the presidential election emerged relatively unscathed.
The fact that several states allowed Internet voting for special groups meant criminals would "try and take advantage," the experts at Internet Identity in Tacoma, Wash., predicted last year.
Internet Identity predicted various security threats, such as malware and phishing attacks that exploited interest in the election, fraudulent voting sites, attempts to alter votes and direct attacks on voting machines.
"Nice to see that doesn't appear to have happened," said Rod Rasmussen, president and chief technology officer of Internet Identity.
There were indeed a few reports of phishing and malware attacks leading up to Election Day, and of several instances where voting machines weren't working correctly, but there weren't "any credible stories about hacks of the election," Rasmussen said.
That may be because "people's radars were finely tuned to be looking for trouble," he said.
"Nothing like shining a light to keep bad things from happening," Rasmussen said.
With New Year's Day just past, everyone seems to have a crystal ball as they predict more targeted attacks, more mobile threats, and more nation-state cyberattacks in 2013.
That's interesting, but it's also a good time to remember that not all those scenarios will come about.
"We were pretty dead-on for 2012," McGinley said. "We can only hope to be wrong for our 2013 predictions."