What's coming in 2014?

What's coming to information security world in 2014?

These are my views:
1. Malware will be for profit. No longer about fun.It will be harder to track who is behind it.
2. Cryptolockers or alike will go mainstream.
4. Demand for digital/IT forensic will go up.
5. More providers will enhance their services offering with encryption to respond to NSA's spying activities.
6. Companies and government organisations will collaborate more to fight cybercrimes. More join announcements will be made on successful take-downs of botnet or cybercrime networks.
7. Windows XP end of live will have a high impact and will directly contribute to higher botnet activities. The bad guys are holding their cards now, waiting for the right time to swallow their preys once XP is left orphaned.
8. More malware will target Android devices. I won't be surprised if Cryptolocker invades Android soon (if it does not already did that).
9. Data breaches will continue to rise. We will see more data breaches of big retail or non IT services companies.
10. Big Data will be one of the hot topics discussed.  

What's yours?

Acknowledgement: 
Picture's source - http://www.flickr.com/photos/danmoyle/11178388835/sizes/z/ 

Yahoo Mail is now fully HTTPS. This is how to turn it on.

Good news to loyal Yahoo Mail users like me, as of 2013 you can have full HTTPS session when using Yahoo Mail.

Some would argue that Gmail has it implemented since the day it was launched years ago. Anyway, it's still a good news to us. Yahoo is doing all the right things after they recruited their new CEO Marissa Mayer from Google. In case you missed it, the recently updated Yahoo Mail interface is also better, faster and simpler to use.

Why https? In layman term, to protect your email session from malicious eyes. It's the same reason why you want your internet banking to be in https. Want to know more about https? Check out the wiki  :)

So, how do you turn on the https in Yahoo Mail? It's pretty simple actually. Go to Mail Options, scroll down and tick the box. See below:

Counter Cybercrime - Turn insiders(employees) into assets

Darkreading has a very good article today - Four Ways to Turn Insiders into Assets

In general, I like the idea as I'm a believer of putting more effort on security awareness and education.

Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.  

Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen, while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employee phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.  

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by Thelocal.de:

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."