Looking forward into what lies ahead for us in 2012, Zscaler offers predictions for the upcoming threat landscape. 1. Mobile: With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Android have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on in, everyone’s invited’ approach? Prediction: The ‘do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace. Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and makes the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one. 2. Enterprise: Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage. Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation. Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity. 3. Web: Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between. Thanks in large part to mobile browsers, HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications. Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind it are insecure, but because it is not well understood from a security perspective. 4. Hardware: Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software as it is the reality of software vendors being forced to address an issue that was impacting business. Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously. Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws. Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts to hardware and party like it’s 1999. 5. Social: The majority of malicious activity surrounding social networks today primarily involves unwanted or nuisance traffic as opposed to attacks that lead to a fully compromised machine. We’re seeing an increase in likejacking and self-inflicted JavaScript injection attacks that have the same overall goal – drive web traffic or prompt software downloads that can earn the scammer a few cents per click. Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams. Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.

    Online "hacktivist" group Anonymous claimed Sunday it had stolen a trove of emails and credit card information from US-based security firm Stratfor's clients, and vowed additional attacks.
Hackers provided a link on Twitter to what they said was Stratfor's private client list, which included the US Defense Department, Army, Air Force, law enforcement agencies, top security contractors and technology firms like Apple and Microsoft.
They also posted images online claiming to show receipts from donations made by the hackers on behalf of some of Stratfor's clients by using their credit card data.
The hackers said they were able to obtain the information in part because Stratfor did not encrypt it, which could prove a major source of embarrassment to the global intelligence firm.
"Anonymous hacks and discredits @STRATFOR intelligence company," Twitter user YourAnonNews wrote on the micro-blogging website. "Maybe they should learn what encryption is."
An alleged Anonymous hacker who uses the Twitter handle anonymouSabu claimed that over 90,000 credit cards from law enforcement, journalists and the intelligence community had been leaked and used for "over a million dollars" in donations.
A widely distributed hacking message posted online, however, mentioned just 4,000 credit cards, passwords and home addresses.
Among the donations shown was a $494 payment on behalf of the Department of Defense for textbooks, a school uniform and food crisis education provided by charity CARE for impoverished girls and women.
A $180 payment was allegedly made to the American Red Cross on behalf of a Department of Homeland Security official, and was signed "Thank you! Department of Homeland Security."
Another $200 payment was made to the American Red Cross on behalf of a Texas Department of Banking official.
In an email to its members, Stratfor said it had suspended its email and servers after learning the website was hacked.
In a subsequent message, it said the disclosure was "merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor."
Stratfor said it had contracted a "leading identity theft protection and monitoring service" and urged members to take their own precautions, including notifying banks about any suspicious credit card activity.
"We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures," said the email, signed by chief executive George Friedman.
"We are working to restore access to our website and continuing to work closely with law enforcement," Friedman wrote, adding his "sincerest apologies for this unfortunate incident."
The company's website was still down as of early Sunday evening.
Wishing a "Merry LulzXmas" to all -- in an apparent reference to Anonymous-affiliated group Lulz Security -- Anonymous vowed to go after celebrities Justin Bieber, Lady Gaga, Kim Kardashian and Taylor Swift.
Anonymous has been involved in scores of hacking exploits, including the recent defacing of a website of Syria's Ministry of Defense to protest a bloody crackdown on anti-government protesters.
Last year, the shadowy group launched retaliatory attacks on companies perceived to be enemies of the anti-secrecy website WikiLeaks.