Roger Grimes

Java's direct responsibility in the recent Mac Flashback Trojan attacks have many calling for Java's retirement, including InfoWorld's own Woody Leonhard.

It's understandable. Unpatched Java is responsible for sizable proportion of today's successful Internet browser attacks, including two compromises I've suffered over the last couple of years. It's also been the culprit behind nearly every Windows exploit that's affected friends and family, aside from the pure social engineering exploits from phishing, Craigslist scams, and so on.

Last week you may have read a headline that blared "100 million TVs will be Web-connected by 2016." Regular readers of this blog know I'm always on the lookout for new threats, so the question naturally arises: Will Internet TVs will be hacked as successfully as previous generations of digital devices?

Of course they will!

How vulnerable are most companies to hacking? So vulnerable that hackers claim they can point their systems at pretty much any target and be guaranteed of breaking in fairly quickly. Most run-of-the-mill vulnerability testers I know can break into a company in a few hours or less. It must be child's play for professional criminals.

It doesn't have to be this way. The problem is that most IT admins are making the same huge mistakes over and over.

Entropy -- the measure of disorder or randomness -- isn't always desirable in the world of IT security. Kinda, sorta patching your IT systems sometimes, for example, would be a bad thing. At times, though, entropy can be a powerful tool, as in the case of well-chosen passwords that are difficult to crack. A fast-growing SIEM (security incident event managment) company called Vigilant is using entropy in an innovative way that warrants a closer look: Its anomaly-detection service identifies malicious threats based on entropy.

First, a quick primer: Entropy, often measured in bits, is the technical measurement of the randomness of the next piece of data in a string. If you see a sequence of letters with a clear pattern, such as "ABABABABA," you would logically predict the next letter in the series will be B. Because the answer is fairly certain, the entropy would be 0. If you're flipping a coin, the predicted outcome, heads or tails, is considered to be 1 bit of entropy. If a native English speaker is shown a sequence of standard English text and is asked to predict the next letter, he or she could guess it with great accuracy. English text is considered to have an entropy of 0.6 to 1.5 bits.

With the new year upon us, I'm pulling out my crystal ball to predict the computer security threats of tomorrow -- and I don't mean 2012. I'm looking ahead to 2022 or 2032. Over the next couple of decades, technology will surely continue to evolve, and if the past is any guide, we can expect that today's security problems -- buffer overflows, misconfigurations, poor authentication implementations, and data malformation -- won't much change; they'll just move to the latest gadgets.

Think, first, about how much our lives have changed in the past couple of decades. My kids wouldn't understand how tough it was to choose between a 10MB and a 24MB hard drive when all I really needed were two floppy drives to get the computer up and running. They'd say, "What's a megabyte?" Or for that matter, "What's a floppy drive?"

Whenever I read another article about how Company X or University Y or Governmental Organization Z was "recently" hacked -- usually "by the Chinese" -- I can't help but chuckle. Those headlines -- the most recent about the U.S. Chamber of Commerce -- shouldn't read, "Company X was hacked!" They should read, "Company X has been hacked for years but just now noticed!"

Headlines that, to me, would truly be newsworthy include:

Mobile users from all walks of life, from the average citizen to business bigwigs to movie stars and politicians, are getting their phones and voicemail hacked these days. Most of the perpetrators aren't even skilled hackers; they're regular Joes, spurned suitors, or even -- hold your nose -- reporters.

End-users certainly deserve part of the blame here, but phone vendors and mobile carriers alike could be doing more. It's not as if attacks targeting phones are especially new. It's a strange paradox: We know what we need to do to stop hacking. We have two decades of experience in putting down malware and hackers in the PC-based, network world. But we seem to be ignoring all those lessons as we move our CPUs and storage to new form factors. Am I the only one who thinks we're destined to live out every PC-based malware symptom in our smartphone world?

Over the past couple of years, DDoS attacks haven't just become more sophisticated -- they've gone mainstream to the point that attackers aren't shy about using them brazenly in the name of social and political activism. Perpetrators rarely face any form of punishment, and it doesn't help that some judges have deemed the practice legal.

"It's no longer hidden. It's very, very public, it's well known," said Neal Quinn, VP of operations at Prolexic, a company that specializes in mitigating DDoS attacks. "And I'm not just talking about the Anonymous group, but all manner of people who openly use DDoS to make their point. It's mainstream. It's the most striking change over the last 18 to 24 months."

Online, in print, on TV, and on the radio, report after report claims that malicious hacking is "more sophisticated than ever before." The media seemingly wants the world to believe it's besought by impossible-to-stop uberhackers with supersophisticated tools and skills.

The reality is far different: Malicious hackers are using pretty much the same old tools and exploiting the same old weaknesses. However, companies and end-users aren't doing what they need to defend themselves. Anyone who promotes today's attackers and their tools as near-invincible is doing a serious public disservice.

Google has a big advantage over competitors when it comes to pushing out patches for Chrome and other software products: The company can, by default, automatically update users' systems on Windows and Apple platforms. That's good for Google and for users in that it ensures people are running the newest, most secure version of the company's wares, which in turn helps to keep Google off top 10 lists of vendors with the most exploitable software. But Google seems to be the exception to the rule, and dealing with unpatched software remains a huge issue for the industry.

According to Kaspersky Lab, for example, Adobe and Java software now accounts for all 10 of the most popular successful exploits. Yet most of the holes discovered in those offerings are patched relatively quickly after public disclosure; it's just that people aren't downloading the patches. According to Zscaler's latest "State of the Web" security report, for example, more than 56 percent of enterprise Adobe Reader users are running an outdated version. This trend is not overly different for many of the world's most popular applications.

In the grand scheme, not much ever seems to improve in computer security. No matter how much we hone our security-defense strategies, how many firewalls we deploy, how many remote-buffer overflows we reduce, and how quickly we patch our OSes, IT systems keep getting hit by malicious hackers. If the computer security industry was to measure itself on the ultimate question of whether we're doing a better job of protecting computer users, the answer would be a definitive no.

But the tide is turning, at least for the time being. I've noticed one long-term trend that's improving: Local, national, and international law-enforcement groups alike are tracking down and arresting more malicious cyber criminals. And not just the stupid and lazy ones -- some big fish have been stopped or apprehended.

Career advisers often ask me what trait would most help an IT security pro excel. My answer is always the same: Think like a hacker.

I don't mean in the sense of a black hat hacker who engages in illegal practices, but true computer security pros are always hacking systems, all the time, at least mentally. They have the mind-set to automatically think of ways to break into almost any system they come across. By looking at systems through the eyes of a hacker, you can better identify weaknesses and create defenses. The best antihackers are hackers themselves.